Usually, I would create my own session "protocol" just using a username stored in the cookies, and the MD5 Hash of the password. Then when the user changes pages, PHP would check the user's cookies against the database and determine if they match or not. I know this is not a very secure way to do things, but I haven't been coding for anything major.
I would like to however learn how to use SESSIONs properly. Let me give you an example of my code:
Index Page:
PHP Code:
<?php
include_once "includes/include.php"; //Creates database links, and loads common functions for the script.
session_start();
if (isUserLoggedIn($userTableConn))
{
include "the_index_page.php";
}
else
{
if ($_GET['userName']!="")
{
if (checkValidUser($_GET['userName'],md5($_GET['passWord']), $userTableConn))
{
$_SESSION['currentUser']=$_GET['userName']
$_SESSION['currentUserPassword']=md5($_GET['passWord'])
}
}
else
{
include_once "login_page.php" // Just a normal login page with the username and password textboxes.
}
}
?>
include.php:
PHP Code:
<?php
include_once "config.php" //Details for database access
$userTableConn = mysql_connect($dbHost, $dbUsername, $dbPassword) or die("Could not connect");
mysql_select_db($dbDatabase,$userTableConn) or die("Could not select database");
function checkValidUser($userName, $passWordHashed, $dbConn)
{
$userQueryResult = mysql_query("SELECT `Username`, `ID` FROM `membersTable` WHERE `Username`='" . $userName . "' && `Password`='" . $passWordHashed . "';", $dbConn);
// Passwords are stored as MD5 HASHes inside the database. The MD5 HASH is sent to this function.
if ($userQueryResult == FALSE)
{
echo(mysql_error());
}
$userQueryArray=mysql_fetch_array($userQueryResult);
if (userQueryArray=="")
{
return false;
}
else
{
return true;
}
}
function isUserLoggedIn($dbConn)
{
checkValidUser($_SESSION['currentUser'], $_SESSION['currentUserPassword'], $dbConn)
}
the_index_page.php:
PHP Code:
<?php
if (isUserLoggedIn($userTableConn))
{
// Webpage Content
}
else
{
header("Location: index.php"); // This will send them to the login page, since they are not logged in.
}
The problems that I have with this method is that when a user logs in, it takes them back to the login page. Then they have to either press refresh or press login again for the login to be successful. I believe this is because PHP doesn't have time to send, and retrieve the SESSION and COOKIE data? Just speculation here.
The next problem is that if they click a link on any of the pages, the session data is cleared away (They are logged out). This also happens if they navigate to any page (Including the current page). What I mean to say is when pressing refresh, everything is OK. When Pressing enter on the address bar (Which will navigate to the current page) the user is logged out. When navigating to any hyperlinks, the user is logged out.
Does anyone have any suggestions? I use Hostgator to test all my scripts.
I know that this code is open to SQL injections and all that. I left out any input validation to keep it simple.
[RESOLVED] Correct Way To Use Sessions
Reply With Quote