login to be passed between pages

[defeated]

I have a login script which is working beautifully.  It is for an in-house CMS so it loads a list of users from a mySql db and adds them to a select input in a form and then they just have to put in their password.

That then creates an id which is passed using the GET method...... not a good idea.  Now all anybody has to do to bypass the login is type in

..../CMS.php?ID=username

in the url. Doh!!!

Any suggestions of a better way of passing the login info?  Each user sees only info applicable to them on subsequent pages based on their login and info in the db pertaining just to them.

Hope that makes sense.

Ian.

[micah1701]

not sure if i'm following...

 

why not just use the POST method instead of get?

[priti]

i think you can use $_SESSION also

[defeated]

The login form action is POST. this is processed by a file called security.php which checks input against a table in mySQL which authenticates users and passwords. It then autodirects to the next page .. CMS.php passing on a variable that can be used in another mySql table to get content specific to a particular user. I don't think I can use post between Security.php and CMS.php because there is no form between the two. Am I being thick?

[redarrow]

use sessions defently take the id out off the url mate lol

[defeated]

is $_SESSION complicated?  I am at the limit of my abilities with what I'm doing.  I don't mind expanding my abilities but it has to be within reach of someone with little grasp of what they are doing. To put it in context.... I've been working on this site since September!  Granted I knew ABSOLUTELY nothing when I started but progress is slow. Don't want to get bogged down following an approach to this that I will get stuck in since I am already stuck with formmail with attachments and being stuck in two places at once would be nearly enough to make me give up! Nearly.

[micah1701]

at the top of the page put

 

<? session_start() ?>

 

then where it puts the value into the url change it to:

 

$_SESSION['variable_name'] = "value that was going into the Url";

 

 

on the next page, don't forget to put session_start() again at the top

 

then, where your current code says:

$var = $_GET['variable_name'];

change to

$var = $_SESSION['variable_name'];

[defeated]

Genius!!!! thanks a million.

[defeated]

It works like a charm!  Just one more question....

Do you have to end sessions or are they timed or what?

Don't think it's important.... just want to make sure it isn't.

[micah1701]

by definition, they are meant to only be temporary, unlike cookies.  The session is gone when the user closes their browser.  Also, your .ini configuration may set them to time out after 20 minutes or so of inactivity.

 

see also: http://us2.php.net/session

[priti]

It works like a charm!  Just one more question....

Do you have to end sessions or are they timed or what?

Don't think it's important.... just want to make sure it isn't.

 

I would say kindly destroy your session don't depend on timeouts if a user has logged in for 10 min work and he leave off the PC and another got a chance tolook in his account easily..... becos your will give user a sesible amount of time to work on your system hence once you think user will be done with work on logout button call session_destroy or unset your $_SESSION.

 

 

[defeated]

That sounds sensible! Will do.