authentication with sessions

sol01

Been working on building my own authentication system for a couple of days now. Have not done a lot of coding in the past few months so am a touch rusty anyhow this project is a good refresher course.

Ok this system uses sessions and that is one thing I wanted to talk about. First the code:

memberarea.php

<?php
session_start();
include (\"functions.php\");

if ($username > \"\" || $passwd > \"\")
{
db_connect();

$result = mysql_query(\"select * from table where username = \'$username\' and passwd = \'$passwd\'\");

$num_rows = mysql_num_rows($result);
if ($num_rows == 0)
{
echo \"bad login!!!\";
exit;
}
else
{
session_register(\"username\", \"passwd\");
}
}
else
{
echo \"exiting, bad login!!\";
exit;
}

The above is the beginning of the protected page (memberarea.php). Now I have reged the session based on the variables passed from the login form, they are compared with the dbase so I know they are correct and nobody is accessing the page unless they provide the right details.

All is well so far and the members page has a few links that pull include pages into the membersarea.php page. However the dilemma is with one of the include pages. The change password option. I\'ll list its code here.

*This is the code after the form has been submitted

changepass_inc.php

if ($action == \"changepass\")
{
if ($newpass1 > \"\" || $newpass2 > \"\")
{
if ($newpass1 == $newpass2)
{
if (strlen($newpass1) <6 || strlen($newpass1) >16)
{
echo \"Your password must be between 6 and 16 characters long!\";
}
else
{
echo \"updating database.....\";
db_connect();
$mysql_query = \"UPDATE table SET passwd = \'$newpass1\' WHERE username = \'$username\'\";
mysql_query($mysql_query);
echo \"Database updated\";

}
}
else
{
echo \"Your passwords do not match\";
}
}
}

Ok say the user successfully updates his/her password we run into a session issue. Because the first session set is based on the original login it is now void because it doesn\'t match with the database so if the user now clicks on another link in the restricted area he/she gets a \"bad login\" error. The only way the user can re-login is to close the browser and open it again and re-login.

Initially when the first session is set it is compared with the database but the vars coming from the login post are what is being used. Naturally first thoughts are to destroy the session and set a new one based on the new password that would be retrieved from the database. WDYT

nnichols

hi,

We normally register the user_id as a sess_var after doing the login successfully, instead of tracing the username and passwd the whole way through. I don't know if this would be appropriate in your situation but it works for us.

Nick

trooper

Sol,

Nick is right - using a session var is a much better way of doing it.

As you can see your way causes headaches when something like a password update occurs, if i were you i'd change the session data to be something like the user_id.

Whilst it may be possible that the user may change their email/ address and even name they'll never changed their ID number.