I think the last major thing I'm unfamiliar with is php sessions. I want to make a login script, which when they log in, stores their data in a session (in something like config.php). And then, in a new page there would be something like <? include("config.php"); if($session != 'false'){ hooray I can do stuff }else{ redirect to login page code } ?> Code (markup): How can I set the config.php or even sessions to get it working? Sadly the tuts I've been reading aren't down to earth enough for me to understand at all. That's the first part. The second part is using sessions to do stuff, like a profile. So like the top part, if sessions does not equal false, then it'll run the code. So in the body I'd like to have <input type="text" name="name"> And then when it goes to the processing field it'll update the data in MySQL for that user ID which is generated during registration. So it has to be based on sessions. How can I accomplish that? Thanks for the help!
Well, This is what I follow for my simple scripts that need Sessions. I have one MySQL database with a table 'users', Has all the stuff like usernames, passwords, etc. Along with two extra fields: login_key, session_id If a user Logs in, I generate a Login Key and store it along with the Session ID in the database. I also send two Session Cookies, One which contains the Login Key (lets call it sitename_sess_key) and other the user_id. If you want a User to be Logged In to access a Private Area, Then I apply this check. If (Session_Variable(sitename_sess_key) == Data_Stored_in_table(login_key) AND Session_Variable(user_id) == Data_Stored_in_table(user_id) AND Session_Variable(session_id) == Data_in_table(session_id)) THEN SET user_logged_in=true ELSE SET user_logged_in=false Code (markup): Then you can use the user_logged_in flag to either Redirect Him to Login Page or to Member's Area. I usually write a function for that and then call it in every page I need Authentication. Works like a Charm.
So referring to your users table, once logged in, it'll put the session ID into the table. So in my logout script I would simply delete the session id? Isn't there something to kill the session too? And for the second part, I'm still confused how I would access the user's tables using the sessions. Thanks a lot
I've always used if (!isset($_SESSION['key'])) { // needs to set key } else { // do stuff} $_SESSION is a global variable, so you can reassign it on the fly. Just be sure to use session_start(). For registration, basically you'd have your forms with the names. Then at the top you'd do something similar to if(!isset($_SESSION['value'])) { if(isset($_POST['value']) { $value = mysql_real_escape_string($_POST['form_value']); // etc mysql_query("//insert into mysql_here") or die(mysql_error()); // if we don't die on the insert session_start(); $_SESSION['value'] = $value; } else { // for the for ?> <form method="POST"> // your form </form> <?php } } Code (markup):
1. You can unset the Session Variables (even use PHP's session_unset(); function) and use the session_destroy(). That'll delete all the Session Variables used. To be on the safer side, you can also null the values in the Database. 2. That's why I said we need two Session Variables! One which contains the login_key and other the user_id, Use both the user_id and login_key (along with the current session id) to validate the User! Pseudo SQL: SELECT user_name FROM user_table WHERE user_id={$_SESSION['user_id']} AND login_key='{$_SESSION['sitename_sess_key']}' AND session_id='{session_id()}' Code (markup): If that produces a Resultset, Then the current logged in session is Valid! You can refer PHP's Session Functions Manuals. That'll help you get working
Ok thanks. Now I know the validation part, so here's what I do correct: At the top, session_start() And then, Before that, shouldn't I use session_key() or session_regenerate_id() to generate my random key once the user logs in? How can I make a new variable to add the data to the database? Because when the user logs in it adds some random number to the database and needs to keep verifying that. And then after that, Thanks