any PHP guru that could help me out within 2 hours...

mackoy

help... anyone who cuold simplify the explanation of session variables and cookies... especially their great use with log in... a have a project that i should finish in about two hours... anyone... please help...

eoghain

Cookie: a piece of data that is stored on the clients computer and managed by their web browser.

Session Variable: a piece of data that is stored on the server and managed by your php code.

PHP, usually, puts a cookie on the clients machine representing the session id that it is using internally to store the users session variables. The cookie that php puts only exists as long as the browser is open. It will also expire after some point of inactivity, not on the client side but on the server side.

Session variables are usually used for tracking a users login status because they can store information safely on the server where the user can't get to them and mess things up or use the information to attack you system.

mackoy

tenkz...

can i ask another question... sorry for the trouble... i'm still a newbie on php...

i'm currently working on a project... it's somewhat like a simple newsletter... no members... just an adminmistrator... there are pages that are exclusively for admin...

do i need to add a table for the admin info?
which one is more preferable to use... cookies or session var?

i'm having a hard time on starting the part for the log-in... that's the only part left for me...

your great help will be appreciated... tenkz again...

MrAlaska

If rapid development is your primary objective, I would do everything with $_SESSION vars and let PHP worry about cookies unless you want to plant some persistent data on the client.

For basic functionality, the only thing you would need to store in the admin table would be the data needed to log in such as user-name and password which you would validate against, then set a $_SESSION variable indicating status.

On top of each page you would check the $_SESSION variable and if it does not exist do not show the page.

session_start();
// establish the $user_id variable
if(isset ($_SESSION['user_id'])){
	$user_id=$_SESSION['user_id'];
} elseif(isset ($HTTP_SESSION_VARS['user_id'])){
	$user_id=$HTTP_SESSION_VARS['user_id'];
} else $user_id="";

if ($user_id=="") {
    // Do not show page
} else {
    // Show the page
}

Here is an example of a login page I made when I was checking out $_SESSION's, but I abandoned the project in the early stages in favor of managing my own sessions. You might be able to modify it, or get an idea of an approach:

<?php
session_start();

// initialize the variables
if (!empty($_POST)) {
	$submit=$_POST['submit'];
	$user_name=$_POST['user_name'];
	$pass=$_POST['pass'];
} elseif (!empty($HTTP_POST_VARS)) {
	$submit=$HTTP_POST_VARS['submit'];
	$user_name=$HTTP_POST_VARS['user_name'];
	$pass=$HTTP_POST_VARS['pass'];
} else {
	$user_name="";
	$pass="";
}

// see if they are trying to log in
if (isset ($submit)) {
	// check submitted data against database
	$sql="select user_id from user where user_name='".
		$user_name."' and pass = '".crypt ($pass, $user_name)."'";
	$result=mysql_query($sql);
    //[EDIT]a mysql link will need to be established to make this work
	if ($row=mysql_fetch_array($result, MYSQL_ASSOC)){
		$user_id=$row['user_id'];
		if (isset($_SESSION)) {
			$_SESSION['user_id']=$user_id;
		} else {
			$HTTP_SESSION_VARS['user_id']=$user_id;
		}
		// collect unique data to protect the session
		$env_array= user_env();
		foreach ($env_array as $key=>$val) {
			if(!empty($_SESSION)) {
				$_SESSION[$key] = $val;
			} else {
				$HTTP_SESSION_VARS[$key] = $val;
			}
		}
	} else $errmsg.="Invalid login information entered<br>";
}

if (isset($submit) && $errmsg=="") {
	include_once 'welcome.php';
} else {
	//display the form
	?>
	<?php if(isset($errmsg)) echo $errmsg; ?>
	<form method='post' action='index.php'>
		<input type='hidden' name='page' value='login'>
		<table><tr><th colspan='2'>Log In</th></tr>
			<tr><td>USER NAME</td>
				<td><input name='user_name'></td></tr>
			<tr><td>PASSWORD</td>
				<td><input type='password' name='pass'>
				</td></tr>
			<tr><td align='center' colspan='2'>
					<input type=submit name='submit' value='Log In'>
				</td></tr>
		</table>
	</form>
	Not a member? NO PROBLEM! Just
	<a href='index.php?page=signup'>
		CLICK HERE!</a>
<?php } ?>

Be advised, there is no real security and nothing to prevent hi-jacking with sessions, you need to code that in yourself.

mackoy

tenkz...

the code you gave me would be a great help for my project... and my fellow classmates appreciate the help...

uhm... while waiting for a reply... i had the idea of just hiding the pages for the admin... meaning i will just show/link the pages that are for the users... and for the admin to access the pages made especially for him... he should login...

i made a page for logging in... so meaning for every page especially made for the admin the checking of the session var at every top/start of the page should be present... am i right?

haven't slept that's why my mind's not working quite properly...

=Þ

again tenkz for the help...

MrAlaska

Yes, it is a nice touch to hide admin links from users. If you only have one admin you can use his ID to check against, or you can register a user level of 'admin' when he logs in so you can check for multiple admins then display the links if it is there.

Every page that requires a login needs to check for the proper session variable at the top of the page whether it is hidden or not.

mackoy

uhm...

what are the important variables do i need to change from the code you gave...

so i need to create a table with user_name, pass and user_id...

user_id is encrypted... right?

another thing i t became a habit of mine to put the form in a different page from the where the sql statements are executed...

qould you be so kind to help me in chopping the code you just handed me down...

still werkin on it...

tenk... again...

MrAlaska

User id is self generated and NOT encrypted, you NEED that l

This is the table I was using for that script:

CREATE TABLE user (
user_id mediumint zerofill NOT NULL default 0 auto_increment,
user_name varchar(20) NOT NULL default '',
pass varchar(30) NOT NULL default '',
email varchar(70) NOT NULL default '',
created datetime NOT NULL default '',
UNIQUE KEY (user_name),
PRIMARY KEY (user_id)
)
;

I was encrypting the password, but you might want to remove that to make it easier get the page working and just compare against password. I have no idea why you would want to have the page split into two, but this page is set up to be self posting. You could cut out the HTML portion and bring it in via an include directive in the case of an error, I suppose, but yer on yer own on that one.

THis page was also set up to post to a template named index.php. You need to change the action attribute or remove it entirely to make the page post without the template, either that or adapt from the template I used:

index.php

<?php
session_start();

// gather the $page variable
// however it might be arriving
if (isset($_POST['page'])) {
	$page=$_POST['page'];
} elseif (isset($HTTP_POST_VARS['page'])) {
	$page=$HTTP_POST_VARS['page'];
} elseif (isset($_GET['page'])) {
	$page=$_GET['page'];
} elseif (isset($HTTP_GET_VARS['page'])) {
	$page=$HTTP_GET_VARS['page'];
} else $page="welcome.php";

// assign all the extensions that might be included
$extension=array(".php",".htm",".html",".txt");
if (in_array (strrchr($page,"."), $extension) ) {
	// make sure page is in local directory path
	$include="./".$page;
} else $include="./".$page.".php"; // attach extension

// display the page
?>
<html><head><title>Template</title></head>
<body>
<center>
<table border='1' cellpadding='5'>
	<tr><td colspan='2' align='center'>HEADER AREA</td></tr>
	<tr><td>SIDE BAR</td>
		<td><!-- MAIN CONTENT AREA -->
		<?php if(!@include("$include")){include("./welcome.php");}?>
		</td>
	</tr>
	<tr><td colspan='2' align='center'>FOOTER AREA</td></tr>
</center>
</body>
</html>

mackoy

i tried to use the log in code that you had given me... without any change since that i will be createing a table adjusted to the variables that are existing in the code...

he gave me a warning....

Warning: Cannot send session cache limiter - headers already sent (output started at D:\cmsc140\mackoy\project\admin\loginheader.txt:9) in D:\cmsc140\mackoy\project\admin\login.php on line 33

how about the logoff? how do i terminate the session?

tenk...

mackoy

uhm...

i only have one admin...

what would be the fields in the table that i will be creating...

user_id, user_name, pass

how do i get the value for the user_id?

is the user_id just an INT auto incremented and the primary key?

MrAlaska

If you used teh page I gave you without any changes and got the 'headers sent' warning, it means you have white space or something before or after the <?php ?> tags.

I already gave you the code I used to create the table.

To log them off set the $_SESSION variable to nothing.

mackoy

okies... sorry about that... haven't had any sleep yet...

uhm... you've given me three codes...

an snippet of for the checking of the session for every page that is to be access by the admin...

the code for loggin-in...

the third is a template for?

tenks...

MrAlaska

The template is just the one I was using when I was playing with sessions. Using it or any template is optional. The code I gave you for logging in posts to the template, but you can change the action attribute to make it post to itself with no problem, or shouldn't be anyway. I hacked it up a little before I posted it also because I was including a functions page in my version. I gave it to you for demonstration purposes, it was not intended to be usable or even used. I thought you could get the ideas or incorporate the methods in what you had built already.

MrAlaska

I just had a thought. If you use the pages I gave you as is it probably will generate a 'headers sent' warning because I am calling session_start() in both of them. You can get around that by removing session_start() from the index page, or changing session_start() on the login page to something like:

if (!isset($_SESSIO)) session_start();

mackoy

ei... tenk for the help...

got disconnected by my admin earlier... had to close down the lab...

anyweyz... tenkz for the help.. i'll be finishing it when i return back to skol... had to go home and rest...

tenk....