Results 1 to 9 of 9

Thread: Sessions and Login

  1. #1

    Thread Starter
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Sessions and Login

    Hi,
    I'm trying to create a tiny admin section for my site. What I do is have the user login using a form, and on the next page:

    PHP Code:
    username $_POST["username"];
    password $_POST["password"];


    $dbh=mysql_connect("localhost""mendhakuser""mendhakpassword") or die ('I cannot connect to the database because: ' mysql_error());
    mysql_select_db("mendhakdatabase"); 

    $loginquery "SELECT * FROM adminsection WHERE username = '$username' AND password = '$password'";

    $loginresult mysql_query($loginquery); 
    My first question is: After I get $loginresult, if I just check for the number of rows returned in $loginresult, and the answer is 1, then the user is validated... else he is not. Is this the proper method?

    My second question is: How do I create a session variable and check it on every page, and how do I end it?

    Thanks.

  2. #2
    New Member
    Join Date
    May 2001
    Location
    Mars
    Posts
    3
    First off, I use an SQL table to store the following data:
    Session ID, Username, Last Action Time (LAT)

    Sooo...

    first, lets assume we get a login that has been confirmed as valid. We need a session ID that will be unique.

    Something along the lines of MD5($user.Time()); should work.

    Now, just check the database for the supplied session. If it exists, we have a logged in user. Also remove sessions older than 10 minutes for security sake.

    -Fireslash

  3. #3

    Thread Starter
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170
    Well, it isn't for a large site or anything. It's for my own website, so security doesn't matter. I just wanted to know what would be the best method to check if the userid and pwd are correct. Like in Q1, should I just do a row count?

  4. #4

    Thread Starter
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170
    *BUMPFROG*


    Nobody visits the PHP forum anymore?

  5. #5
    Hyperactive Member
    Join Date
    Jul 2002
    Posts
    296
    1. Yes:

    $count = mysql_num_rows($loginresult);

    2.

    session_start();
    session_register("username");
    session_register("password");

    $_SESSION['username'] = "blah";

    session_destroy();


    session_start(); needs to be at the top of every page
    Kevin Carpenter
    Currently Working in the CAOS (CA Operating System) Group

  6. #6

    Thread Starter
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Thumbs up

    Originally posted by carp
    1. Yes:

    $count = mysql_num_rows($loginresult);

    2.

    session_start();
    session_register("username");
    session_register("password");

    $_SESSION['username'] = "blah";

    session_destroy();


    session_start(); needs to be at the top of every page
    Thank you!

  7. #7
    Frenzied Member
    Join Date
    Nov 1999
    Posts
    1,337
    Originally posted by carp
    1. Yes:

    $count = mysql_num_rows($loginresult);

    2.

    session_start();
    session_register("username");
    session_register("password");

    $_SESSION['username'] = "blah";

    session_destroy();


    session_start(); needs to be at the top of every page
    DO NOT use session_register("username"); if you set i twith $_SESSION[]. session_register() is deprecated

    and no need for session_destroy(), to end a session just

    $_SESSION['username'] = "";
    unset($_SESSION['username']);

    that is all.

    fireSlash: why create a hash when php gives it to you already? the sessionID is unique so why not use that? you are creating more work then you have to.

  8. #8
    New Member
    Join Date
    May 2001
    Location
    Mars
    Posts
    3
    I am not overly fond of PHP's session system. I prefer using the smallest set of functions physically possible.

    Maybe I am just making things harder than they can be, but it gives me more control over what I do with the language. Why use functions for connecting to IRC servers, FTP servers, etc, when you can write your own code to do it with fsock, have more control over the I/O, and gain a better understanding of the protocol?

    -Fireslash

  9. #9
    Frenzied Member
    Join Date
    Nov 1999
    Posts
    1,337
    I see what you are saying but for those that don't care about the protocol it is worth it.

    so you want less functions as possbile, so you create your own session id but don't want to use sessions

    $sessionID = session_id();

    seems easy enough to me

    this way you are using 2 functions just to create a ID
    MD5($user.Time());


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width