Jump to content

managing session file separately to include in all file


michelle1404

Recommended Posts

After logging, session will start. So i have to manage sessions.php in all my other files to manage session . Here is my login file

<?php 
    if(isset($_POST['submit']))
    {
        include("connect.php");
        $user=mysqli_real_escape_string($con, $_POST['email']);
        $pass=mysqli_real_escape_string($con, $_POST['password']);
        $sql="SELECT * FROM users WHERE email='".$user."' AND password='".$pass."' ";
        $query=mysqli_query($con, $sql) or die(mysqli_error($con));
        $count=mysqli_num_rows($query);
        if($count==1)
        {   
            $row=mysqli_fetch_array($query);
            session_start();
            $_SESSION['user_id']=$row['uid'];
        }
        else {
            header("location:../index.php?error=1");
        }
        if(isset($_SESSION["user_id"])) {   
            header("location:../home.php");
        }
    }    
?>

And in sessions.php

<?php
    session_start();
    session_regenerate_id();
    if($_SESSION["user_id"]) 
    {
        include("connect.php");
        $m1 = "select * from users where uid='".$_SESSION['user_id']."'";
        $m2 = mysqli_query($con, $m1);
        $m3 = mysqli_fetch_array($m2);
        $_SESSION['username'] = $m3['fname'].' '.$m3['lname'];
    } 
    else 
    if(!isset($_SESSION['user_id']))
    {
        header("location:index.php");
    }
?>

As the session is started in login.php itself, i get error in sessions.php 'Session is already started'. But if i remove session_start();, it redirects to index.php (login form). I am confused.

can somebody help me in this? 

 i have other files like dashboard.php, home.php... in that how do i manage session?

Link to comment
Share on other sites

things you find yourself repeating in your code, should be 'factored out' and put at a common point, above where they are needed. DRY - Don't Repeat Yourself.

 

your main application code on any page should be responsible for starting sessions, creating a database connection, ... because it is your main application code that knows what will be accomplished on any page.

 

sessions and database connections are used for more then just identifying a user. the code that's handling the login form processing should only be concerned with processing the that form's data.

 

some other problems or things to do differently -

 

1) the login form processing (and login form) should only be executed if the current visitor is not logged in. to accomplish this, the code would need to check the user_id session variable. therefore, the session_start() would need to be above this point, not as part of the form processing code.

 

2) you should use 'require' for things that your code requires in order to work. include/require is not a function and the () around the filename just clutters up the code. KISS - Keep It Simple.

 

3) the passwords need to be hashed when stored in the database table. see php's password_hash() and password_verify() functions.

 

4) you need to use prepared queries when supplying data to an sql query statement. the various php  _escape_string() functions can allow sql special characters in the data to break the sql syntax (which is how sql injection is accomplished) if the character set that php is using when it applies the escaping is different from the character set of your database tables. using a (non-emulated) prepared query will eliminate any possibility of this problem, and actually simplifies the sql query syntax, while only adding one line of php code per query (assuming you are using the much simpler to use php PDO extension. the php mysqli extension requires more statements and and is inconstant compared to the PDO extension.)

 

5) you shouldn't output the raw database errors to the visitors to a site. exceptions should be used to handle database errors and let php catch the exceptions, where it will use its error_reporting, display_errors, and log_errors settings to control what happens with the actual error information. when learning, developing, and debugging code, you would display all errors. when on a live server, you would log all errors.

 

6) the header() redirects need exit; statements after them to stop program execution. your current code will allow access to any of the protected pages just by ignoring the redirect.

 

7) the main purpose of the code in sessions.php is to retrieve the user's data (and any user permissions?) if the current visitor is logged in. that's all it should do and the file should be named as to its purpose. you should use isset() around the first session variable test, so that no errors are produced when the visitor isn't logged in. the user data should actually be stored in a non-session variable, so that it won't accidentally persist on a page where you haven't used the sessions.php code.

Link to comment
Share on other sites

8) you need to validate all input data before using it. if either the email or password values are empty, is there any point in running the rest of the login code? if you use an array to hold validation error messages, the array is also an error 'flag'. if the array is empty(), there are no errors. if the array is not empty(), there are errors. to display the errors when you re-display the form (assuming the form is on the same page as the form processing code), just loop over the array and output the errors with the styling you want.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.