User Authentication with Cookies

fred_m_ie

I'm new to user authentication. And I have a few questions as to how best to do it.

What I already have is a user registration form with all the require details - this then goes into a MySQL database after being verified.
I also have a login form which tests if the username and password are correct - at the moment this just returns "Login OK" or "Login Failed".

I know that for "Login OK" I need to write a cookie.

What do I do from here ? This is where I have my problems !

1) How can I securely login the user ?

2) How do I redirect the user to the main members page ?

3) How can you load the members details and preferences into that main members page ?

4) Should you use sessions ? If so is there a good beginners guide to using these.

5) Would .htaccess type login be more secure or easier to implement ?

If anyone can answer any of the above questions I would be very appreciative !
Thanks
Fred

smo

To me your 4th point is the correct one. While writing session store the user-id in session and read the id in every page and you can show a welcome message to the visitor ( as welcome alex ),
To check the status you can use
if(isset($session[userid])){echo “welcome $session[userid]”;}
else { echo “Sorry , you must login to use this page”; exit }

So only login users and see the content of the page. Below the welcome message you can show the member area link and logout link.

fred_m_ie

Many thanks for your reply !

How exactly do you setup this $session[userid]
is $session a PHP variable ?

Is this $session automatically maintained by PHP or should you be querying a database to get the userid.

Any info on beginners usage of this $session would be appreciated.

Fred

Mordecai

Originally posted by smo
To check the status you can use
if(isset($session[userid])){echo “welcome $session[userid]”;}
else { echo “Sorry , you must login to use this page”; exit }

Few errors here. Namely, $session won't be set. You're probably looking for $_SESSION. Then we've got the array with undefined constants (userid), I'm sure you mean 'userid'. Then we've got an array inside quotes. Very bad idea, probably should concatenate it with the string: "string".$array['key']. And, last but not least, a missing semicolon after exit.

fred_m_ie: take a look at the session functions, namely session_start(). After that, it's a breeze.

smo

This is how I am checking the member table and creating the sessions

if($rec=mysql_fetch_array(mysql_query("SELECT * FROM member_table WHERE member_table.urser_id='$urser_id' AND pw = '$pw'"))){

if(($rec['urser_id']==$urser_id)&&($rec['pw']==$pw)){

///Member checking is over and now sessions has to be registered
$session['id']=session_id();
$session['urser_id']=$urser_id;
$session['pw']=$pw;
$session['name']=$rec['name']; // storing name in the session variable to read in different pages
}}
Welcome $session[name]

in each file at the top you have to add these two lines

session_start();
session_register("session");
then all session variables will be available for checking

You can check the presence of session variables and accordingly act

fred_m_ie

Thanks to Everyone for their replies - I got it working with your help.
Just one vwey quick question.

I got the session id using session_id() and placed it in a variable called $SessID and then appended it onto the redirected url in the header (Location: index.php?SessID=......) - but when I click a link to another php file the session ID disappears from the url - is the session still maintained. I have placed session_start() in the top of the destination script.

Thanks
Fred

BuzzLY

You don't have to append the session ID to your url. This will happen automatically. If you have cookies enabled, the id will not appear in the URL. If cookies are not enabled, then the session ID needs to be passed through the URL, and PHP automatically appends the session ID to each link on your page.

At least, that's how it's supposed to happen. Sometimes the session ID appears anyway, but 99% of the time that's how it works.