Session Question

Anon

I already have a web site that uses a database with several tables and I'm wanting to change the site around so each user has to login. I already have a table that has all of the users information. I'm going to add a user id and password field to that table. What I need help with is that I'm making a auth.inc file that I will include on every page of the web site. I want the auth script to work for people that don't have cookies and for it to use cookies if they have them enabled on their browser. I have read some info on php.net and phpbuilder.com about sessions and I think I'm confused now. Basically, This is logically how I want to set it up. If they get authorized I will need away to keep there user id from page to page.

//Check to see if they have a session started and if they are authorized

if ($Login Form submitted) {

//Check to see if the user id and password in the database match what they submitted (I already know how to do this part).

if (login correct) {
if (No Cookies) {

//Set session for no cookie user

} else {

//Set session for cookie user

}
} else {

//If they don't pass then print HTML Login form again and exit.

}

} else if (!$Authorized) {

//Print HTML Login Form
exit;

}

If someone could help me fill in all the blanks I would greatly appreciate it.

Anon

If you're using sessions, you shouldn't need to distinguish between those with and those without cookies.

---------8<-------auth.inc.php--------
<?php
session_start(); // Optional - session_register() will do this if it hasn't been done already.
session_register('variable1','variable2'); //Basically, all the stuff you want stored during the session.

//Your login checking stuff...

if(!logged_in)
{
header('Location:...'); // Bounce them back to the login page
exit(); //If their browser can't/won't handle server redirects, we don't want them falling through...
}

?>

interim: If the file is called "auth.inc" and I ask for it from my browser, I'll get the source code. You don't want me getting the source code :-). Calling it "auth.inc.php" means PHP will parse and execute it first. (And bounce me to the login page!)

Now, about the cookies/no cookies bit. If they do not have cookies enabled, their session ID has to be passed around some other way with each request they make. This is done by sticking it in each URL - every URL in fact to a page where the session data is needed; every page, in short.

If your build of PHP was compiled with --enable-trans-sid (and phpinfo() will be able to tell you in the "standard" section), then you don't need to read any further.

If it wasn't, then each internal link will need to have the session ID appended to it manually: "mypage.php" becoming "mypage.php?<?php=SID?>" and "gallery.php?pic=4" becoming "gallery.php?pic=4&<?php=SID?>".
Tedious, I know from experience 🙂

Hope this has been of some use to you.

Anon

Hayley, Thanks this is what I came up with before reading your reply. I will look at your reply some more and see if I can make some improvements.
<?php

session_start();

if ($logOut) {
unset($_SESSION);
session_destroy();
echo "You have Logged out!<br>";
echo "<a href="index.php">Return to the site</a>";
exit;
}

if (isset($PHP_AUTH_USER)) {

// If non-empty, check the database for matches
// connect to MySQL

$db = mysql_connect("localhost", "username", "password");

mysql_select_db("addressbook",$db);

// Formulate the query

$sql = "SELECT * FROM address WHERE email='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'";

// Execute the query and put results in $result

$result = mysql_query($sql);
$myrow = mysql_fetch_array($result);

// Get number of rows in $result. 0 if invalid, 1 if valid.

$num = mysql_numrows($result);

if ($num != "0") {
session_start();
$_SESSION["userid"] = $myrow["id"];

//echo "$_SESSION[userid]";

//set cookie

} else {

$errorMsg = "<center>n<font color=red>Your user name or password was incorrect.<br><br>n";
include("login.inc");
exit;

}

if (!isset($_SESSION["userid"])) {

$errorMsg = "";
include("login.inc");
exit;

}

Anon

I took care of .inc files being served by adding the following to my apache config file.

<Files ~ ".inc$">
Order allow,deny
Deny from all
</Files>