Jump to content

Ending session (logout)

JeBu

By JeBu
in PHP Coding Help

 Share

Recommended Posts

JeBu Newbie

JeBu

Posted
Posted 

<?php
session_start();
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>
<head>
<title>Simple login system</title>
<link rel="stylesheet" type="text/css" href="style.css" />
</head>


<body>

<div id="main">

<div id="header">

	<form action="" method="POST">

		<label for="kasutaja">User:</label>
		<input type="text" name="kasutaja" id="kasutaja" />

		<label for="parool">Pass:</label>
		<input type="password" name="parool" id="parool" />

		<button type="submit" name="login">Login</button>

		<?php
			if ( isset($_SESSION['logged_user']) ) {
				echo "<button type=\"submit\" name=\"logout\">LogOut</button>";
				echo "Logged in: <b>".$_SESSION['logged_user']."</b>";
			}
			else {
				echo "Welcome, guest";
			}
		?>

	</form>

	<?php

		if ( isset($_POST['login']) ) {

			if( (!empty($_POST['kasutaja'])) && (!empty($_POST['parool'])) ) {

				$db_addr = "localhost";
				$db_user = "root";
				$db_pass = "";
				$db_name = "membership";
				$user = $_POST['kasutaja'];
				$pass = $_POST['parool'];

				$con = mysql_connect($db_addr, $db_user, $db_pass) or die( mysql_error() );
				mysql_select_db($db_name) or die( mysql_error() );
				$query = "SELECT userNames,passWords FROM accounts";
				$selected = mysql_query($query) or die( mysql_error() );

				while( $account = mysql_fetch_array($selected) ) {

					if (($user==$account['userNames']) && ($pass==$account['passWords'])) {
						$_SESSION['logged_user'] = $user;
						break;
					}
				}

			}

		}
	?>

</div>

</div>



</body>
</html>

 

Okay, I've got a robust login system here, but there are some problems.

For example, when I enter correct username and password and hit "Login", it registers a $_SESSION variable named 'logged_user'. But the username will be visible after I hit the login button and refresh a page, I'd like to do a "normal" login system that I click "login" and it logs in - it means I have to rebuild a system, but how?

--it's my first login system so it may seem quite weird.

 

--Second problem is - how to build a LogOut button?

 

Thanks

Link to comment
Share on other sites
hvle Member

hvle

Posted
Posted

You can store a boolean variable onto $_SESSION to indicate whether user is logged on or off.  This method is easy but not very secure.  A better way to implement log in and log out system is store user information into a database, a session database with all sensitive data. 

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

i'm gonna answer a lot more then you originally asked for (don't know if this is a good thing though):

 

first of all, i do not recommend using sessions like they where originally implemented, but using a db instead, much easier using the session_set_save_handler() function implemented in php (dl: http://www.php.net/manual/en/function.session-set-save-handler.php)

 

you will still be able to use the session_* functions as you would normally afterwards but your application would be much secure.

 

Also you are using the following query:

 

SELECT username, password FROM accounts

 

or something along those lines afterwards you do something like:

 

if ($user==$row['username'] && $pass==$row['password'])

 

i know where you are pushing to.. but then i would suggest using

 

sprintf("SELECT username, password FROM accounts WHERE username = '%s'", $user);

 

sprintf (if not familiar): http://www.php.net/manual/en/function.sprintf.php

 

because your situation would go through the complete table (what mysql also does) until it reaches the row which contains the username & password as requested, not a problem if you only have 2 rows, but imagine a few million? and you happen to be the latest registered user... by the time the user is logged in he would be reaching his 99th birthday (just joking).

 

so make sure you atleast narrow it down by using atleast a where clause afterwards you check if the provided password equals the one stored in the database, however make sure the password stored is encrypted..

 

useful encryption links:

http://www.php.net/manual/en/function.md5.php (32 character length)

http://www.php.net/manual/en/function.sha1.php (40 character length, recommended)

 

check if it equals using:

 

if (sha1($pass) == $row['password'])

 

now for your question in how to build a logout button, is quite simple you just check if the user is logged in, like you already did, there are more advanced ways so go ahead and have a look at: http://pear.php.net/package/Auth documentation can be found here: http://pear.php.net/package/Auth/docs

 

hope it helps,

ignace

Link to comment
Share on other sites
JeBu Newbie

JeBu

Posted
  • Author
Posted

Thanks, ignace, your post was very heplful, but I don't understand that sesswhat is session_set_save_handler() all about :(, as much as I know at the moment it us used to store session variables in db, but not further.

 

Could anyone give me an article about session_set_save_handler() function. (those functions doesn't make sense to me at the moment)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.