Hello all.

Is there any walkthrough that will provide me with user authentication without using cookies? These are some of the things that I need to do with my website:

  1. User Authentication (login & password) that would be carried over to the entire website to open exclusive functionalities.
  2. Being able to request revalidation even if the Session ID is bookmarked

-or-

  1. Being able to hide the Session ID so that it couldn't be bookmarked.

I tested constructing sessions that expire after 1 minute, but for some reason, the records are retained even if the user has closed the browser already and has bookmarked the page (or has retained a copy of the Session ID from the cache history).

As much as possible, I'm trying to avoid cookies because the assumption that I have for my audience is that they know nothing on how to accept cookies if ever cookies are restricted.

Please help. I've been trying to look for topics online to help me, but each time, I end up facing a brick wall... 🙁

    Hey there. I recently, actually within the past minutes, finished a script that authenticates a user/password and carries the session across multiple pages. I'm not sure what you mean by that second request because I'm still relatively new to PHP. This script does, however, still work. Also, it's probably not the most secure way, but here it is:

    protected.php
    <?
    session_name("userinfo"); //Place this and the next line on EVERY single page, including the index.php or whatever your main one is
    session_start();
    if (isset($_SESSION['user'])) {
    YOUR CODE HERE IF THEY'RE LOGGED IN
    }
    else
    {
    header ("Location: login.php"); //If they're not redirect them here
    }
    ?>

    login.php
    <?
    session_name("userinfo");
    session_start();
    if ($SESSION['user']==""){
    if (isset($    POST['submit']))
    {
    $user=$POST['username'];
    $passwd=$    POST['password'];
    $host = "localhost";
    $usrname = "*"; ///MySQL Database username
    $password = "    "; ///MySQL Database password
    $connect = mysql_connect("$host", "$usrname", "$password")
    or die("Could not connect to MySQL!");
    $db = mysql_select_db("    **") or die("Could not select database");
    $sql = "select     from members where usname = '$user' and pword = '$passwd';"; ///Members=Members table, usname=Username row, pword=Password row
    $result = mysql_query($sql) or die("Query failed");
    if (mysql_num_rows($result) > 0) {
    session_register('user');
    $_SESSION['user']=$user;
    header("Location: protected.php"); ///We have a match, so redirect
    }
    else
    {
    INCORRECT SO DISPLAY LOGIN INFO/FORM
    }
    }
    else ///They haven't filled & submitted form, so display login info
    {
    LOGIN INFO/FORM
    }
    }
    else ///They're already logged in, so redirect back
    {
    header("Location: protected.php");
    }
    ?>

    Again, this is probably not the most secure/effiecent way, but as long as you dont care about that hundredth of a second and aren't working for a top-secret site, it should do. If you have any questions, just PM me.

      Hehehe well like I said its probably not the most effecient or easiest since I'm still new, but hey, it works for me 🆒

        Thanks, guys.

        Actually, ScubaKing, the second instruction merely prohibits the user from bookmarking an authenticated page, and use the bookmarked session id to view the page he bookmarked with his login and password logged in. This is dangerous because the login can be used by another person to view protected content.

        Any thoughts?

          Here visit this page. It will have 21 tuitorials on user authentication.

          -Blake

            OK now I see what you mean. So basically what you want is to have bookmarking disallowed for a protected page? If so, one way would be to use javascript for a page with no toolbars. If the user doesn't know about ctrl+d or whatever than that would work. Other than that I don't have any ideas, but javascript is one possibility.

              Thanks batman, I'll check it out.

              ScubaKing, it's not a matter of removing the bookmarking feature. What I want done is for the user to have the ability to bookmark, but not have the ability to bookmark a session. If a session is bookmarked, the session must be verified first before it is used in the system.

                Sorry to butt in, but I just got finished doing the exact thing you're looking for 😉

                Basically what I did was:

                When the user logs in, it stores a bunch of session variables with information gathered from the database:
                - "logged_id" = The userid (in my database) of the user.
                - "logged_name" = The username they are logged in as.
                - "logged_pass" = The md5 encrypted password for the user.
                - "logged_in" = A flag. Either "yes" or "no".

                Now, say someone logs in successfully and then visits a page that will have different content based on whether or not you they are logged in:

                private.php:

                session_start();

/*  DATABASE VARIABLES  */

$db = array ( 
"server" => "localhost",
"username" => "username",
"pass" => "password",
"db" => "database_name"
);

$dbconnect = mysql_pconnect($db["server"], $db["username"], $db["pass"]);
mysql_select_db($db["db"]);

/* Check to see if user has a session active.  
                
If so, double check the registered session 
variables against the database, cuz I'm paranoid. ;) */

if ($_SESSION["logged_in"] == "yes")
{
  $query = "select * from users where username = '".$_SESSION["logged_name"]."' 
  && password = '".$_SESSION["logged_pass"]."'";
  $result = mysql_query($query, $dbconnect);
  $valid_user = mysql_num_rows($result);

  if ($valid_user != 1)
  {
     /* User has a session set, but the information stored in it
         does not match with the database.  Probably a lame
         hacking attempt.  Give em the "not logged in" content.*/
  }

  else
  {
     /* User has a session set and the information stored within
         it DOES match the database.  This is a valid user.  Give 
         them the content valid users should see.  */
  }

}

else
{
  /* User does not have a session established.  Show them the 
      "not logged in" content and/or a login form. */
}

                In the above example, one script can show two completely different results. This way if a valid user (one who has a session active) bookmarks the page, the next time they visit that page it will check for the valid session again. If the user has closed their browser since the bookmarking, the session has been destroyed and the page will display the "not logged in" content.

                Hope this makes it clear. If not, feel free to email me with any questions: talon@thehellofit.com

                Edited for formatting to prevent H-Scroll.

                  Thanks Talon, I'll check your code out... 🙂 I'll also inform you about any concerns on the code. Do you mind if I email you for concerns?

                    Write a Reply...