Jump to content

Session Help

RyanMinor

By RyanMinor
in PHP Coding Help

Recommended Posts

RyanMinor Member

RyanMinor

Posted
Posted

To my understanding, a session is created and then stored on the server with its assigned value and a unique id. So, if that is correct I should be able to somehow locate a particular session on the server based on it's assigned value. Well, I was hoping to use this concept to keep multiple people from logging in under the same account at the same time.

 

I figured that I could check this in my login script by declaring the customer's id as the session value when they login. Then, I could check for a session variable equal to the cusotmer's id when they try to login. My (untested) code is below. Am I going about this right, and how would I check to see if a user's session is currently set on the server?

 


<?php
// initiate session and redirect logged in users
session_start();
if(isset($_SESSION['customer_id'])) {
header('location:my_videos.php');
}

// if login button was pressed
if(array_key_exists('login', $_POST)) {
// initalize error array and check that user supplied a username and password
$error = array();
$username = trim($_POST['username']);
$password = trim($_POST['password']);
if(empty($username)) {
	$error['username'] = 'Please enter your username.';
}		
if(empty($password)) {
	$error['password'] = 'Please enter your password.';
}
// if username and password supplied then proceed
if(!$error) {
	// connect to the database
	require_once('includes/connect.php');
	// filter data for query
	$username = mysql_real_escape_string($username);
	$password = md5(mysql_real_escape_string($password));
	$queryUser = mysql_query("SELECT customer_id, customer_username, customer_password FROM customer WHERE customer_username = '$username' AND customer_password = '$password'", $connect) or die(mysql_error());
	$dataUser = mysql_fetch_assoc($queryUser);
	$rowsUser = mysql_num_rows($queryUser);
	$customerId = $dataUser['customer_id'];
	// determine if the user is a valid customer
	if($rowsUser == 1) {
		// see how many IP addresses the customer has used to login with in the past 24 hours
		$queryIP = mysql_query("SELECT COUNT(DISTINCT log_ip) AS ip FROM log WHERE log_customer_id = $customerId AND log_timestamp IN((DATE_SUB(NOW(), INTERVAL 1 DAY)), NOW())") or die(mysql_error());
		$dataIP = mysql_fetch_assoc($queryIP);
		if($dataIP['ip'] > 3) {
			$error['ip'] = 'This customer account has reached the maximum number of IP addresses allowed. If you feel this is a system error please send us an email via the Contact Us form.';
			exit;
		} else {
			// see if the customer is already logged in
			$queryLogged = mysql_query("SELECT customer_id, customer_logged_in FROM customer WHERE customer_logged_in = 1 AND customer_id = '$customer_id'", $connect) or die(mysql_error());
			$dataLogged = mysql_fetch_assoc($queryLogged);
			$rowsLogged = mysql_num_rows($queryLogged);
			if($rowsLogged == 1) { // if database shows the customer is already logged in
				// if there is also a session variable set that matches their customer id on the server
				if($_SESSION['customer_id'] == $customerId) { // i need to somehow find this session value on the server first
					// this means the user is trying to login from two different locations
					header('location:bad_login.php');
					exit;
				// if no session variable for customer id is set on the server	
				} else {
					// this means user lost connection without logging out
					// set a customer id session variable
					$_SESSION['customer_id'] = $customerId;
					// log customer activity
					$ip = $_SERVER["REMOTE_ADDR"];
					$queryLog = mysql_query("INSERT INTO log (log_timestamp, log_ip, log_customer_id) VALUES (NOW(), '$ip', '$customerId')", $connect)or die(mysql_error());
					// send user to appropriate page (if a previous page session variable exists send them there)
					if(isset($_SESSION['previous_page'])) {
						header('location:video_info.php');
					// if not send them to the my_videos.php page
					} else {
						header('location:my_videos.php');
					}
				}
			} 
			// if database shows the customer is not logged in
			else {
				$_SESSION['customer_id'] = $customerId;
				$queryLogin = mysql_query("UPDATE customer SET customer_logged_in = 1 WHERE customer_id = '$customerId'", $connect) or die(mysql_error());
				$ip = $_SERVER["REMOTE_ADDR"];
				$queryLog = mysql_query("INSERT INTO log (log_timestamp, log_ip, log_member_id) VALUES (NOW(), '$ip', '$customerId')", $connect)or die(mysql_error());
				if(isset($_SESSION['previous_page'])) {
					header('location:video_info.php');
				} else {
					header('location:my_videos.php');
				}
			}
		}
	// if there was no match found in the database	
	} else {
		$error['login'] = "Incorrect username and/or password. If you do not have an account with us, please create one";
	}		
}	
}		
?>

Link to comment
https://forums.phpfreaks.com/topic/236742-session-help/
Share on other sites
JonnoTheDev Regular Member

JonnoTheDev

Posted
Posted

You are going about this in the correct fashion. A couple of points.

 

1. A session can be lost when a user closes their web browser, re-opens and then goes back to the same page meaning they will have to re-login. One way to combat this is to set a cookie aswell as session data when a user logs in. If the session is lost after a browser close, the cookie isn't and this can be used to regenerate the session data.

 

2. When using sessions or cookies it is nice to add some security such as a hashed encryption string in with the session/cookie data. You have just used the customers ID. If you were to store that in a cookie then it could easily be stolen, so, when a user logs in an you test their username/password, if it is correct make a hash of something and store it in the users database table. When they log out destroy it from the database, after a period of inactivity destroy it also. Then on every page where a cookie or session is needed you can test the hash value against the customers ID and the hash stored in the database i.e.

 

/*
login successful
*/
$_SESSION['customer_id'] = $customer_id;
$_SESSION['customer_hash'] = md5($_SESSION['customer_name'].time());
/*
store the hash
*/
mysql_query("UPDATE customers SET customer_hash='".$_SESSION['customer_hash']."' WHERE customer_id='".$customer_id."'");
/*
redirect
*/
header('location:/my_videos.php');
exit();

 

On pages where you need to check the session is valid

 

if(isset($_SESSION['customer_id']) && strlen($_SESSION['customer_hash']))  {
$result = mysql_query("SELECT customers_id FROM customers WHERE customer_hash='".$_SESSION['customer_hash']."' AND customer_id='".$_SESSION['customer_id']."'");
if(mysql_num_rows($result)) {
  header('location:/my_videos.php');
  exit();
}
/*
session data is not valid
*/
header('location:/login.php');
exit();
}

 

3. Always use the exit() function after any header redirect as in the above examples.

Link to comment
https://forums.phpfreaks.com/topic/236742-session-help/#findComment-1217073
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.