Jump to content

Recommended Posts

Hi Guys

 

New to php so stick with me.

 

I'm trying to create a simple login script that will grant a user access to content that is only viewable by those people who are logged in.

 

I'm ok doing the login part and authenticating the password etc. But once the user gets directed to the content page how can I ensure that only a registered user who is logged in sees that page? (probably missing something very obvious here). I've tried reading around but not found much on this specific question.

 

Should I set the user's username and password (which is encrypted) as session variables and authenticate them as the first stage of each page they visit?  Or is there a better way of doing this?

 

Don't worry, not looking for you to write the code just a description of the best way of doing it would be great!

 

Thanks,

 

Drongo

Link to comment
https://forums.phpfreaks.com/topic/235297-session-question/
Share on other sites

Thanks

 

That makes a lot of sense.

 

If I wanted to track a specific user - lets say I wanted them to be able to post an entry on the site - would it be bad practice to use their username and/or their encrypted password as session variables to track them as them?

 

 

You could use $_session['id'] which is a unique I'd that you van assign each user that is registered. You can then use that to see if the session Id is set. If it isn't, you can use header() to redirect the unregistered users to the login/register page. Hope this helps

Link to comment
https://forums.phpfreaks.com/topic/235297-session-question/#findComment-1209178
Share on other sites

That's great.

 

Out of interest. If I perform the check outlined above to see if session ID isset are there any potential security issues with just performing that check? OR should i also do additional checks?

 

Thanks for all your help btw guys!

 

 

I don't really see reason to store there password in a session, a username is fine though, and track them through their user id and all should be fine ;).

Link to comment
https://forums.phpfreaks.com/topic/235297-session-question/#findComment-1209186
Share on other sites

you can store their username in a session yes...but you should make sure that each username is unique...or you can track them by their $_SESSION['id'] as well...whichever you prefer

 

Only if you've actually assigned the value of session_id() to $_SESSION['id'].

Link to comment
https://forums.phpfreaks.com/topic/235297-session-question/#findComment-1209192
Share on other sites

When you do session_start() people get a session id.  That is not enough.  When the user completes the login process, then you should set a session variable.  Frequently, people will set it to be the user table id, or something similar. Checking for the existence of that variable is a good way to insure that people are actually logged in.

Link to comment
https://forums.phpfreaks.com/topic/235297-session-question/#findComment-1209197
Share on other sites

That's great.

 

Out of interest. If I perform the check outlined above to see if session ID isset are there any potential security issues with just performing that check? OR should i also do additional checks?

 

Thanks for all your help btw guys!

 

 

You do not, as the variable is set by the PHP interpreter, so no security risk.  ;)

Link to comment
https://forums.phpfreaks.com/topic/235297-session-question/#findComment-1209427
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.