I am having trouble understanding the session part of this tutorial. http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/ I have it creating names and passwords and logging in, but don't know how to actually implement sessions on my pages to make sure they are logged in. Can anyone help me understand how to use sessions with this tutorial? where should this go? function isLoggedIn() { if($_SESSION['valid']) return true; return false; } PHP:
Sessions are a way of storing data, so that your scripts can get it securely when they get executed again. You start using a session with "session_start();" and then you can just call the "isLoggedIn()" function that you listed to see if they have already logged in or if they have not.
right. you can search for php scripts on google. there are lots of tutorials besides the tutorial link that you shared.
hi zer0c00l, Actually the lines of code in function which you have specified, that will just check either some one is, or not!, but it will don't go anywhere, its just an example, but you can do everything with that, while the session is basically used for permanent data storage, you can access session in you website any where just calling it.
well i guess i'm just not getting it. I have tried looking at other examples, but can't seem to fully grasp it. maybe someone can take a look. Here is the process page of the login. <?php session_start(); //must call session_start before using any $_SESSION variables include ("functions.php"); $username = $_POST['username']; $password = $_POST['password']; //connect to the database here $dbhost = 'removed'; $dbname = 'removed'; $dbuser = 'removed'; $dbpass = 'removed'; $conn = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname, $conn); $username = mysql_real_escape_string($username); $query = "SELECT password, salt FROM users WHERE username = '$username';"; $result = mysql_query($query); if(mysql_num_rows($result) < 1) //no such user exists { header('Location: login_form.php'); } $userData = mysql_fetch_array($result, MYSQL_ASSOC); $hash = sha1( $userData['salt'] . sha1($password) ); if($hash != $userData['password']) //incorrect password { header('Location: login_form.php'); die(); } else { validateuser(); //sets the session data for this user } //redirect to another page or display "login Success" message echo "you have successfully logged in" ?> PHP: Here is the functions page: <?php function validateUser() { //this is a security measure $_SESSION['valid'] = 1; $_SESSION['userid'] = $userid; } function isLoggedIn() { if($_SESSION['valid']) return true; return false; } function logout() { $_SESSION = array(); //destroy all of the session variables session_destroy(); } ?> PHP: And finally the page i am trying to protect <?php include ("functions.php"); session_start(); //if the user has not logged in if(!isLoggedIn()) { header('Location: login.php'); die(); } //page content follows ?> this is the index page and the rest of the content below. PHP:
If you want to password protect a webpage on your website then I suggest you use htaccess: http://tools.dynamicdrive.com/password/
doesn't htaccess have a popup login? I need something in a form design. does httaccess allow it in a form? from what i understand is that is cannot use a form, rather it must use that popup.
Why do you need it in a form? If you'[re just protecting a webpage for yourself and maybe a couple others then it could just be a link. If you want to include login data in a URL then you can do this: http://username: password@example.com/ That way, if you want to use javascript in a form to send the data you can. Take this, for example: <script type="text/javascript"> function submitData() { var url = "example.com"; var name = document.form.name.value; var pass = document.form.pass.value; window.location = "http://"+name+":"+pass+"@"+url; } </script> <form name="form"> <label for="name">Name: </label><input type="text" name="name" id="name" /><br /> <label for="pass">Pass: </label><input type="password" name="pass" id="pass" /><br /> <input type="button" onclick="submitData()" /> </form> Code (markup): (untested)