Php sessions? I have created a login script. How do I use sessions to go with that?

the_loserkid · March 4, 2015, 10:05am

Hi all. I have created a login script called login.php. If the login goes through, I can access member.php else, I cannot.

But I can access member.php directly. How can I use sessions to prevent this?

<?php 

include $_SERVER['DOCUMENT_ROOT']. '/inc/db.php';


try {
	$results = $pdo->query("SELECT * from user");
	$user = $results->fetch(PDO::FETCH_OBJ);
	}

catch (PDOException $e) {
	echo "Error. Please contact system admin";
	die();
	}

if (isset ($_POST['login'])){
	$username = $_POST['username'];
	$password = $_POST['password'];
		
		if ($username == $user->username && $password == $user->password){
			include 'member.php';
			exit();
			}
		else {
			echo 'Username or password incorrect.';
			}
	}



?>

<style>
li {list-style:none;}
</style>

<div class="login-box">

<form action="" method="post">
<li><label for="username">Username: <input type="text" name="username"/></label></li>
<li><label for="password">Password: <input type="password" name="password"/></label></li>
<li><input type="submit" name="login" value="Login"/></li>
</form>

</div><!-- end login box-->

member.php just has a simple Hello as of now but it will have acess to the entire backend. How do I use sessions in this situation?

megazoid · March 4, 2015, 10:08am

Add this to the beggining of both of your files:

session_start();

in login.php, when you checked login & password are correct, set flag in session:

$_SESSION['is_logged'] = true;

in member.php check this flag:

if (empty($_SESSION['is_logged'])) { exit; }

And i’d recommend not include member.php after logging in, but redirect to it instead:

header('Location: member.php');

in that case user will be able to refresh page without questions from browser (“do you want to send form again…”)

the_loserkid · March 4, 2015, 11:01am

Thanks. I’ve managed a little with regards to the session_start() function. Now how do I destroy this session?

I’ve got a logout.php page and it has the code:

session_start();

session_destroy();

header ("Location: index.php");

But I’m not getting logged out. I have a script on the index page right at the beginning that says:

if ($_SESSION['is_logged'] = true) {
	header ("Location: member.php");
	exit();
	}

And I end up right on the member page instead of the rest of the code with the username and password loading on the index page. I believe the logout page has effectively destroyed the session?

megazoid · March 4, 2015, 11:03am

You don’t need to destroy the session
You want just to remove your flag:

unset($_SESSION['is_logged']);

megazoid · March 4, 2015, 11:04am

There should be == (equal sign twice)

Pepster · March 4, 2015, 12:39pm

You might want to to do this:

$_SESSION['user'] = $user;

That is after you have verifiy (Login) the user’s credentials unset($user->password);

Then all you have to do is ether in a config.php or utilities.inc.php file is do the following:

/* Setups up a session variable for a person who logins in. */
$user = isset($_SESSION["user"]) ? $_SESSION["user"] : NULL;

That way all you would have to do something maybe like the following:

if ($user) {
  echo 'Welcome ' . $user->username . '!';
} else {
  echo 'Please Register to this fine place';
}

ofeyofey · March 5, 2015, 10:55pm

Hi,
You should use the PHP function md5() to scramble passwords and only store scrambled passwords in the db. Then just scramble the password the users inputs using md5() and compare that to the scrambled password in the db. this way if the db gets compromised, no one will be able to get the actual users passwords.
Kevin Yank’s Sitepoint book ‘Php and mysql, novice to ninja’ does a great job explaining all about sessions and setting up a login and also allocating privileges to users and using them on your site. Includes examples too.

SpacePhoenix · March 6, 2015, 7:01am

md5 is no good for hashing passwords as it has been rainbow tabled to death. What version of PHP are you using? If you’re using version 5.5 then there’s a group of functions available that will help with hashing

ofeyofey · March 6, 2015, 3:39pm

Thanks, I didn’t know about this.

the_loserkid · March 8, 2015, 5:45am

Thank you all for your time and assistance. I seem to have this working now. I would like to move on to the next level and learn how to create registration and multiple logins for users that want to do it. Where can I get started on that?

ofeyofey · March 8, 2015, 9:13am

Check out

Chapter nine of the code deals with sessions and login etc.

Shane

system · June 7, 2015, 4:18pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.