The correct use of sessions.
Results 1 to 7 of 7

Thread: The correct use of sessions.

  1. #1
    Silver surfer
    Join Date
    Nov 2007
    Posts
    94

    The correct use of sessions.

    I am using XAMPP to develop a database (letís say mydbd).

    To access the edit_your_account.php page, the user must login from the home page using an email address and a password.
    A page named members-page.php opens. A link within the header of that page will then take him to the edit_your_account.php page.
    The edit_your_account.php page opens, but it shows an error message:

    This page has been accessed in error.

    The address field of the browser shows the URL: http://localhost/mydb/edit_your_account.php

    If I use hard coding to amend that URL by addng the user's id suffix as follows:
    localhost/mydb/edit_your_account.php?id=14
    The edit_your_account.php page appears with its table of user's details correctly displayed and populated.
    I can then edit some of the user's details, click the 'Edit' button and the details are correctly edited.

    From this I am assuming that I am not using SESSIONS correctly on the members.php page, or on the edit_your_account.php page, or both. Please would you let me know where I am going wrong?

    The same session is used on both the members-page.php and the edit_your_account.php page, this is listed in the code below.

    <?php
    session_start();
    if (!isset($_SESSION['user_level']) or ($_SESSION['user_level'] != 0))
    { header("Location:login.php");
    exit();
    }
    if (isset($_SESSION['user_id'])){
    $_POST['id'] = ($_SESSION['user_id']);
    }
    ?>

    There are two blocks of code on that page that will produce the error message.
    The first one is listed in the code box below.

    <?php
    // After clicking the Your Account link within the header of the members page, this editing interface appears
    // Look for a valid user ID, either through GET or POST:
    if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From members page
    $id = $_GET['id'];
    } elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // From members page. Prepare to display the Form
    $id = $_POST['id'];
    } else { // No valid ID, so kill the script.
    echo '<p class="error">This page has been accessed in error.</p>';
    include ('includes/footer.php');
    exit();
    }
    require ('mysqli_connect.php');
    // Has the form been submitted?
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {

  2. #2
    Pedantic Curmudgeon Weedpacket's Avatar
    Join Date
    Aug 2002
    Location
    General Systems Vehicle "Running Gear"
    Posts
    22,564
    A link within the header of that page will then take him to the edit_your_account.php page.
    The edit_your_account.php page opens
    The address field of the browser shows the URL: http://localhost/mydb/edit_your_account.php
    The address field of the browser shows the URL: http://localhost/mydb/edit_your_account.php
    So during all that, where does the "id" get passed? Because if it isn't:

    PHP Code:
    if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From members page
    $id $_GET['id'];
    } elseif ( (isset(
    $_POST['id'])) && (is_numeric($_POST['id'])) ) { // From members page. Prepare to display the Form
    $id $_POST['id'];
    } else { 
    // No valid ID, so kill the script. 
    Last edited by Weedpacket; 01-08-2018 at 05:56 PM.
    THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER
    FAQs! FAQs! FAQs! Most forums have them!
    Search - Debugging 101 - Collected Solutions - General Guidelines - Getting help at all

  3. #3
    Silver surfer
    Join Date
    Nov 2007
    Posts
    94
    Yes that is the key to solving the problem. I wondered if the id could be passed earlier in the chain of events. The chain is: First the Login page, this directs to the members page, in which a menu button takes the user to the edit_your_account page.
    I tried adding a session to the login page.

    In the login page I tried this without success:
    <?php
    session_start();
    if (!isset($_SESSION['user_level']) or ($_SESSION['user_level'] !=0))
    {
    header("Location:login.php");
    exit();
    }
    if (isset($_SESSION['user_id'])){
    $_POST['id'] = ($_SESSION['user_id']);
    }
    ?>

    Then I tried this in the login page without success:

    <?php
    session_start();
    if (isset($_SESSION['user_id'])){
    $_POST['id'] = ($_SESSION['user_id']);
    }
    ?>
    I can't think what to try next, would you suggest a next move please.
    Best wishes
    Awestruck
    Last edited by Awestruck; 01-08-2018 at 02:12 PM.

  4. #4
    Settled 4 red convertible dalecosp's Avatar
    Join Date
    Jul 2002
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    8,543
    $_SESSION['user_id'] doesn't get set automatically by the session. You need to set it.

    PHP Code:
    //Login.php

    //start the session
    session_start();

    if (!
    $_POST) {

       
    show_the_form();

    } else {  
    //form was POSTed

        
    $success login_check($_POST['user'], $_POST['password']); //assume return of user id, '0' if failure

        
    if ($success) {
           
    $_SESSION['user_id'] = $success;
           
    header("Location: member.php");
        }

    Then, on any page that needs to know the user's ID:

    PHP Code:
    //MyExamplePage.php

    //start session
    session_start();

    //are we logged in?
    if (!$_SESSION['user_id']) {  //no?  Go and login please!

        
    header("Location: login.php");
        exit;
    }

    //show member stuff here. 
    Note that this is example code to give you an idea how to proceed. I should add that you should do a LOT of study about this; for example, placing $_POSTed variables into a function is probably OK ... UNLESS that function then proceeds to put them directly into a database query; that's a huge potential security hole. You should learn more about PHP's sessions and how to keep them secure.

    I also assumed you could write a login_check() function ... that can also be complex; for one thing, passwords MUST be hashed these days. It's totally irresponsible of ANYone running a website in 2018 to use a password-in-the-clear in their database. Why? Because Fred in Accounting uses the same d@3n password on your site that he uses to access his bank account and his social media profile and his work-based email. If he puts it into your system, it's stored in clear-text and someone gets ahold of your DB backup file, "poof!" ... Fred's life is a hellacious thing for months or even years.

    Best of luck ...
    /!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade! /!!!\ ereg() is deprecated --- don't use it!

    dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket

    Getting Help at All --- Collected Solutions to Common Problems --- Debugging 101 --- Unanswered Posts --- OMBE: Office Machines, Business Equipment

  5. #5
    Senior Member
    Join Date
    Apr 2016
    Posts
    134
    Starting with the session data, you should only store the user's id in a session variable. You should not store any user permissions in session variables. Doing so will prevent the user permissions from being changed, until the next time the user logs in. If you have a system where the user can perform an action, such as making posts, chat, shout-box, pm'img members, emailing members, ... you would want any change in permissions to take effect on the next page request, so that a moderator/administrator will have the ability to stop someone who is abusing the system or to have the ability to add permissions without having to tell the user to log out and log back in again for them to take effect. You should query on each page request to get the current user's permissions.

    The user permissions should determine what the current visitor can see or what action they can perform on any page. The logic on any page should test if the current visitor is logged in, retrieve their permissions if they are, and then decide what to display or what action to allow on that page.

    On the member(profile) page, it should use a get parameter in the url to determine who's information to display. If there is not an id in the url, you need to decide what to do. Should this display an error message? Should you redirect to another page? Should you display the current user's data using the user_id from the session variable, if any? This forum software displays "This user has not registered and therefore does not have a profile to view.", which is probably the same message/logic for when there is an id in the url, but that user doesn't exist.

    If there is an id in the url, you also need to decide what to do. If the id in the url is not the same as the current visitor's or the current visitor is not logged in, what should happen? If the id in the url is the same as the current visitor's (viewing your own profile page), what should happen? In addition to displaying the profile information, you would display the link to the edit page in this case.

    Repeat this defining process for the edit page. If the current visitor is not logged in and they browse to the edit page, what should happen? This forum software displays - "You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:...". If they are logged in and they have permission to edit their profile, you would retrieve the profile information using the user id from the session variable and populate the edit form with it. When the edit form is submitted, you would repeat these checks (if not submitting to the same page), so that only a logged in user, with permission to edit their profile, can cause the data to be changed.
    Programming should not be a painful activity. If you are experiencing pain while programming, you are probably doing something wrong.

  6. #6
    Settled 4 red convertible dalecosp's Avatar
    Join Date
    Jul 2002
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    8,543
    Quote Originally Posted by pbismad View Post
    Starting with the session data, you should only store the user's id in a session variable. You should not store any user permissions in session variables. Doing so will prevent the user permissions from being changed, until the next time the user logs in.
    News to me.


    PHP Code:
    //1.php

    session_start();

    $_SESSION['permission'] = 1;

    echo 
    "Your permission level is " $_SESSION['permission']; 
    PHP Code:
    //2.php

    session_start();

    $_SESSION['permission'] = 2;

    echo 
    "Your permission level is " $_SESSION['permission']; 
    It appears as though you think the session can only be modified once? While it might be onerous (or perhaps even poor design) to adjust $_SESSION multiple times during a, well, session, it's certainly possible to do so.
    /!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade! /!!!\ ereg() is deprecated --- don't use it!

    dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket

    Getting Help at All --- Collected Solutions to Common Problems --- Debugging 101 --- Unanswered Posts --- OMBE: Office Machines, Business Equipment

  7. #7
    Senior Member
    Join Date
    Apr 2016
    Posts
    134
    News to me.
    My statement is about being able to change user permissions and have them take effect.

    The session that's started is the visitor's session, using the session id from the http(s) request, or if you know what the session id is, by setting the id using session_id() first. For a moderator/admin to be able to modify someone else's session data would require first knowing the visitor's current session id, which can be easily changed, simply by logging out and back in, resulting in the possibility that abandoned session data is what is actually being modified by the mod/admin.

    The straight-forward fool-proof way of being able to change user permissions, is to change the source data (wherever the OP is defining a user's 'user_level' at now), and retrieve and use that source data on each page request, rather than to try and change a copy of that data being held in a session variable.
    Programming should not be a painful activity. If you are experiencing pain while programming, you are probably doing something wrong.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •