Trying to get an idea

Tewl

I've made a login script, but im trying to figure out how i would tell if a member is logged in or not. I cant seem to figure out how I would do that. Does anyone have any suggestions?

IceD

Keep name and password in the session...

MrAlaska

There might be a way to access the information through Php's $_SESSION files, I don't know about that.

I would construct a table or file to store them in when they log in, much as if you were managing your own sessions. I think a table would be easier to maintain than a file. The table would have a 'first_seen' and 'last_seen' column that you would update every time the user requested a page, then if 'last_seen' is x bigger than 'first_seen' you would delete the record.

After you get that table working, you are a cookie and a URL insertion away from managing your own sessions and getting rid of PhP $_SESSION's altogether.

IceD

To MrAlaska:
Why do we need to invent the basicle? Standard PHP sessions works well...

MrAlaska

Originally posted by IceD
To MrAlaska:
Why do we need to invent the basicle? Standard PHP sessions works well...

Not as well as managing your own. In this case, how would you go about generating a list of users online? To parse through the $_SESSION files would seem to be more trouble to me than building and maintaining your own table.

Building to your own site's needs can be more efficient and scalable. PHP borrowed much of their own $SESSION's methodology from PHP_LIB, which was a session package often used before PHP had a $SESSION array. $_SESSION's give you some tools that aid in rapid development, but managing your own is often worth the extra effort.

IceD

In any case I suggest to use standard PHP session mechanism (session_start, session_register etc.) with your own handler functions.

MrAlaska

Originally posted by IceD
In any case I suggest to use standard PHP session mechanism (session_start, session_register etc.) with your own handler functions.

If you decide to use $SESSION, session_register is not recommended. The proper and safe way to access and declare your variables is through the $SESSION array. An example is given at the PHP site:

http://www.php.net/manual/en/function.session-register.php

IceD

I don't recommend you to use $SESSION array at all, because of comaptibility issues. There is PHP4.0.6- (not +) installed on almost every host. I'm using following code:

function _session_set($name, $value)
{
    global $HTTP_SESSION_VARS;
    $HTTP_SESSION_VARS[$name] = $value;
    global $$name;
    $$name = $value;
    session_register($name);
}

This code will work on every host... 😉

MrAlaska

It won't always work on every host. Since HTTPVARS is deprecated, there might come a time when youre code breaks if you do not use $_. I keep mine portable using IF conditions.

Declaring variables when the page opens is good practice. In the case of $_SESSION:

if (!empty($_SESSION)) {
//collect session variables
}
elseif(!empty($HTTP_SESSION_VARS)) {
//collect the variables
}
else {
// set the variables to ""
}

In snippet you posted, what is the point of registering the variable twice? It appears to me you can delete session_register right out of there without affecting functionality at all.

IceD

Yes, you are right with "!empty" (or it should be "!isset"?). But if you remove session_register, it will not work on some configurations (4.0.6- + track_vars off + something else)...
So, what can you say about following code:

global $HTTP_SESSION_VARS;
if (!isset($_SESSION)) 
{
    $_SESSION[$name]_=_$value;
}
elseif(!isset($HTTP_SESSION_VARS))
{
    $HTTP_SESSION_VARS[$name]_=_$value;
}
else
{
____global_$$name;
____$$name_=_$value;
____session_register($name);    

}

netizen

You're confusing the issue.

He merely wants to know how to show the person is logged on. On an individual level, session variables are fine. But if you want to show all users currently "active" you should use a table.

MrAlaska

In the snippet I posted, you need to use !empty because session_start will set the $_SESSION whether it has value or not, and calling for the variables will throw errors if none have been set yet.

I think your latest example is a much better method of assigning the variables, except you need to remove the exclamation points to enable anything to make it into their proper arrays. After that, though, I think HTTP_POST_VARS would always be set via the global call so the code might not ever make it to the else.

I cannot imagine a set-up in which you are unable to set a session variable through session array but session_register would still work, so I will hafta take your word on that one.

You could build its own conditional statement for that occurance.

global $HTTP_SESSION_VARS;
if (isset($_SESSION)) 
{
    $_SESSION[$name] = $value;
}
else
{
    $HTTP_SESSION_VARS[$name] = $value;
}

if (!isset ($HTTP_SESSION_VARS[$name] ))
{
    global $$name;
    $$name = $value;
    session_register($name);    

}

IceD

The situation, where $HTTP_POST_VARS is disabled is very simple: PHP 4.0.6- with track_vars set to off!

I'm going to develop universal class for session variables management...

MrAlaska

Originally posted by netizen
You're confusing the issue.

He merely wants to know how to show the person is logged on. On an individual level, session variables are fine. But if you want to show all users currently "active" you should use a table.

YIKES, for some reason I thought he wanted a list of users online. I either read the question wrong or had it confused with another window.

You are entirely correct about confusing the issue, and I apologize for my contribution.

Sessions are perfectly acceptable and the simplest solution to see if a user is logged in.

Taking some liberties with variable names...

When they log in set a session variable:

session_start();// top of page
// initialize the variables
if (!empty($_POST)) {
	$submit=$_POST['submit'];
	$user_name=$_POST['user_name'];
	$pass=$_POST['pass'];
} elseif (!empty($HTTP_POST_VARS)) {
	$submit=$HTTP_POST_VARS['submit'];
	$user_name=$HTTP_POST_VARS['user_name'];
	$pass=$HTTP_POST_VARS['pass'];
} else {
	$user_name="";
	$pass="";
}

$mysql_link =
	mysql_connect("mysql_host", "mysql_user", "mysql_pass")
	or echo "Connection failed<p />$sql<p />".
	mysql_errno().": ".mysql_error()."<br />";
mysql_select_db("mysql_base")
	or echo "Could not connect to db<p />".
	mysql_errno().": ".mysql_error()."<br />";
$sql="select user_id from user where user_name='".
	$user_name."' and pass = "$pass;
$result=mysql_open($sql);
if ($row=mysql_fetch_array($result, MYSQL_ASSOC)){
	$user_id=$row['user_id'];
	if (isset ($_SESSION)) {
		$_SESSION['user_id']=$user_id;
	} else {
		$HTTP_SESSION_VARS['user_id']=$user_id;
	}
} else $errmsg.="Invalid login information entered<br>";

to see if they are logged in check to see if that variable exists:

if(isset($_SESSION)) {
	if (!isset ($_SESSION['user_id'])) {
		// the user is not valid
	}
} elseif (isset ($HTTP_SESSION_VARS)){
	if (!isset ($HTTP_SESSION_VARS['user_id'])) {
		// the user is not valid
	}
}

djumaka

Hi guys!

The whole problem is so simple, that it doesn't deserve the whole mess you "constructed":

The username or its id is kept in the cookies on the client's browser (setting no time limits tells the browser to destroy the cookie when the user leave the site anyhow).
Then on every page you check whether the cookie exists($HTTP_COOKIE_VARS[] array) and show the user his name(if user's id is saved in the cookie you look for user's name in the corresponding table). That's it. If any problem come up I'm ahead.

Bobby.

MrAlaska

Originally posted by djumaka
Hi guys!

The whole problem is so simple, that it doesn't deserve the whole mess you "constructed":

The username or its id is kept in the cookies on the client's browser (setting no time limits tells the browser to destroy the cookie when the user leave the site anyhow).
Then on every page you check whether the cookie exists($HTTP_COOKIE_VARS[] array) and show the user his name(if user's id is saved in the cookie you look for user's name in the corresponding table). That's it. If any problem come up I'm ahead.

Bobby.

If your method of managing sessions was such a nobrainer, everybody would be doing it. Of course, then you would want to accomodate the growing number of users who have turned cookies off which puts us right back to managing your own sessions which sparked off all the confusion in the first place.

However, bad information does nothing to eliminate confusion either. Session cookies do not get destroyed when the user leaves the site, they get destroyed when all instances of the browser is closed.

MrAlaska

Originally posted by netizen
You're confusing the issue.

He merely wants to know how to show the person is logged on. On an individual level, session variables are fine. But if you want to show all users currently "active" you should use a table.

It was in another post that Tewl meant to make as a response in this one Tewl said he wanted a list of users online, which is why I made the response I did:
http://phpbuilder.com/board/showthread.php?s=&threadid=10213092

IceD

To MrAlaska:
empty vs isset.... I think, whe should use isset instead of empty - imagine the situation, when there are no session variables set at all - both $SESSION and $HTTP_SESSION_VARS will be empty. Also, instead of using mysql functionas after setting session variables we should use custom session functions handlers. In this case we produce better and less buggy code.

To djumaka:
And what if cookies are disabled in client browser?

MrAlaska

Originally posted by IceD To MrAlaska:
empty vs isset.... I think, whe should use isset instead of empty - imagine the situation, when there are no session variables set at all - both $SESSION and $HTTP_SESSION_VARS will be empty. Also, instead of using mysql functionas after setting session variables we should use custom session functions handlers. In this case we produce better and less buggy code.

!empty vs isset. When initializing variables I agree. You MUST use isset in that case.

However, when collecting variables that should already be initialized I want to explicitly assign the variables to nothing if they do not exist, for instance

if (!empty($SESSION)) {
$user_id=$SESSION['id'];
// collect all variables
}
elseif(!empty($HTTP_SESSION_VARS)) {
$user_id=$HTTP_SESSION_VARS['id'];
// collect all variables
}
else {
$user_id="" ;
// set them all to ""
}

[EDIT] in many cases it would make more sense to collect them individually, in which case we would use isset:
if (isset ($SESSION['id'])) $user_id=$SESSION['id'];
elseif(isset($HTTP_SESSION_VARS)) $user_id=$HTTP_SESSION_VARS['id'];
else $user_id="";
[/EDIT]

If we use isset instead of !empty for collecting a group and the $_SESSION variables have not been initialized, it will fall into one of the first if conditions and $user_id will BE nothing instead of being SET to nothing. The difference is subtle and the code will still function, however if you have error_reporting set to E_ALL (which you can do via your code by puting error_reporting(E_ALL) at the beginning of your page) it will throw an undeclared variable notice every time you use $user_id.

When setting them, we need to use isset:

if (isset($SESSION)) {
$SESSION['id']=$row['user_id'];
}
elseif(isset($HTTP_SESSION_VARS)) {
$HTTP_SESSION_VARS['id']=$row['user_id'];
}

The same is true with POST, GET, and all the GLOBAL members. They will be SET but EMPTY until you populate them.

And if track_vars is disabled:
$GLOBALS['HTTP_SESSION_VARS']['id']=$row['id'];
$user_id=$GLOBALS['HTTP_SESSION_VARS']['id'];
should give you access to the arrays so you do not need to use session_register(), but I haven't had time to play with it. That should work even if track_vars AND register_globals is set to 0 which would be a difficult server to work with but might have some performance benifits. I am definately gonna play with that one, thank you for bringing it to my attention. I had never considered the option of track_vars being off.

Regarding mysql functions, in the example I posted, the mysql functions were just an example of how one might validate a member against the database, if I was using native session I would probably also collect and register many of the user variables as $SESSION variables at that point. When using $SESSION you might as well use the features, since you're paying for them anyway. 😃

I do like the function you use to register variables, and the concept of making it server independant appeals to me.

[EDIT AGAIN] I am now building a function simlar to yours to collect my POST and GET variables, so I will not be using !empty in my code anymore[/EDIT AGAIN]

IceD

Finally, we have get how to manage session variables 🙂
The more tricky situations will be with POST/GET/COOKIES - there is very funny thing, called magic quotes. I hate them. Really. Maybe it's usefull when fetching data from HTML forms into the database, but there are a lot of disadvanatges of them:
1. Your hosting provider can have this option turned to "on" or "off"
2. It's really easy to get something like {This is \"quotes\"} instead of {This is "quoted"} - i've seen something like this on sourceforge!
3. Because of 1 and 2 you should write function to getting these variables: see example below for POST (if you need data with quotes, add '!' before get_magic_quotes_gpc and turn stripslahes to addslashes):

function get_post_var($name)
{
    global $HTTP_POST_VARS;

if (isset($HTTP_POST_VARS) && isset($HTTP_POST_VARS[$name]))
    return get_magic_quotes_gpc() ? stripslashes($HTTP_POST_VARS[$name]) : $HTTP_POST_VARS[$name];
if (isset($_POST) && isset($_POST[$name]))
    return get_magic_quotes_gpc() ? stripslashes($_POST[$name] : $_POST[$name]);
global $$name;
if (isset($$name))
    return get_magic_quotes_gpc() ? stripslashes($$name) : $$name;
return null;
}

PS. I love PHP, but can somebody explain me, why there are a lot of trobles in mostly common operations - such as getting user input??? 🙁