Confusion About Sessions

klycette

My account page currently looks at what was passed to it from the login page and acts accordingly. If the user entered both a username and password, and they match something in the database, they get content specific to their account. However, if they make a mistake or the input doesn't match, they get error messages and the script ends.

I understand that if the user succeeds in gaining access to their account, I should register their username as a session variable. I also understand that I can use session_is_registered to make sure that the session is registered and this keeps people from just bookmarking their account page.

What I'm confused about is the order that this all occurs. If I check to see if the session is registered later in the script, the earlier errors about not entering a username, etc will be thrown. If I check to see if the session is registered early in the script, it doesn't give a chance for the variables to be created assuming the login was going to succeed.

Does this make sense to anyone?

leatherback

Hi,

Here goes:

You have your <?php tag.

First thing then: session_start() to get the session going.

After that you check wether a user is logged in. you could do this through the session_is_restired option. If the user is regitered, you grab the info needed. Else you don't.

To avoid writing the same code too foten, I have written an include for my pages:

session_start(); 

if (!$_SESSION['displayname'])  

   { 
   $location = "userlogin.php";
   header("location: ".$location);  

   }  

else
   {
   require(/includes/settings.php");   

            session_register(includepath);
            session_register(pathfromroot);
   }

which I include in each file at the top, and performes the login check for me. Since in the userlogin the user is defined, I kow their details are registered if he is logged in.

klycette

Right now I have individual checks to see if they entered their username and password and they'll get an error if they miss either. I don't want the user to see these errors if they didn't even try to go through the login page, I just want them to see an error about having to log in. I'm just having trouble figuring out how to accomplish this.

I suppose that I could just not bother to see if they entered their username and password and just throw one simple error if the session doesn't get registered, no matter the reason. What do you think?

leatherback

Hi,

You can still do it the way you want:

You register a session. You check for the username to be present. If not, you load the default page. If it is, you use the userdefined page. No Problem. If theuser tries to acces info which can only be accessed by registered users, you redirect them:

session_start();  

if (!$_SESSION['displayname'])   

  {  

   if(Page_Requires_Login)
     {
     $location = "userlogin.php"; 
     header("location: ".$location);   

     }
   else
     {
//    load default page 
     }
  }
else
  {
//   load page for registered users
   }

Just make sure this check is done beofre anything gets send to the browser.

leatherback

userlogin.php (With my database specific details, like columnames, edited!:

<?php
session_start();

   require("settings.php");   

   if(session_is_registered('displayname'))     

     {
     header("Location: index.php"); 
     } 
     else
     {

   require($databasesettings);
        mysql_connect($db_host, $db_user, $db_password)
           or die ("<b>Couldn't connect to server</b>");
        mysql_select_db($db_name)
           or die ("<b>Error, no database</b>");

$username = $_POST['username'];
$password = $_POST['password'];

                                //****** Form has been submitted, check details ******

 $result =@ mysql_query("Select * from *usertable* where (*user*= '$username') and (*passw*= '$password')");
 $NumRows =@ mysql_numRows($result);

 if ($NumRows > 0)                        // ****** Details are correct ******
    {
    while($row =@ mysql_fetch_array($result))
       {
         $displayname = $row[*namecolum*]; 
         session_register(displayname);
         session_register(slevel);
         session_register(includepath);
         session_register(pathfromroot);
        }


         $body = "
         <html><head></head><body>
         Thank you for logging in. $header <br>Please 
         <a href=\"".$HTTP_SESSION_VARS['lastpage']."\">click here</a> to go to the page you came from
         </body></html>
         ";

    }
 else                                    
    {
    if (!isset($one))                            //****** Form has not been submitted ********
      {
      $body = "Please login using username & password:<br><form action = \"userlogin.php\" method=\"post\">
       Username: <input type=\"textbox\" name=\"username\">
       Password: <input type=\"textbox\" name=\"password\">
       <input type=\"hidden\" name=\"one\" value=\"1\">
       <input type =\"submit\" value=\"inloggen\">
       </form>";
      }
    else
      {
       $body = "Unfortunately, this combination is not correct. Please try again, or contact the system administrator.<br>
       <form action = \"userlogin.php\" method=\"post\">
       Username:  <input type=\"textbox\" name=\"username\">
       Password: <input type=\"textbox\" name=\"password\">
       <input type=\"hidden\" name=\"one\" value=\"1\">
       <input type =\"submit\" value=\"inloggen\">
       </form>";
      }
    }
    }
    echo "<html><body>";
    echo $body;
    echo "</body></html>";

Hope that helps

klycette

A little over my head for the most part, but I'll muddle my was through it...lol

In the meantime, I figure as long as I get the session registered and they get an appropriate error message that's helpful to them, then I should be fine, at least for now.