Sessions Adivce

tommmmm

Hi there,

I should preface here by saying I know almost nothing about Sessions/Cookies or that sort of thing. I'm building a site that requires users to log in while browsing/editing their settings etc etc.

What I would like is for the user to login and be redirected to their homepage (a url based on their userid) then when they change their settings (a simple html form) their userid will be used to find their settings in the database and modify them (WHERE user=userid sort of thing). Some other information about the user like username would be useful too.

Obviously the whole thing needs to be as secure as possible and the data should not be able to be stolen.

What is the best way to achieve something like this. Should a cookie be set that just has the userid in be set or do I need to use sessions...etc etc

Thanks in advance for the help.

sneakyimp

Well, sessions usually work by storing a session id in a cookie. PHP can take care of a lot of this for you. Is it perfectly secure? that's the topic of much discussion.

You can write your own if you think you can make it perfectly secure (try reading some open source project like phpbb or oscommerce for ideas).

Or you can depend on the built-in session handling functions of php like:
http://php.net/session_start()

ColdFusion

yes, sessions are in their primitive form, like a cookie, but it is the choice of many web applications which require data persistance, so you should be fine using the functions in the above post.

😉

tommmmm

Great I shall begin looking into it. From my primitve understanding when someone logs in you set them a session (unique with a random name) then you can store some variable in that session which can be retrieved at any time during that session.

What happens when the user logs out....remove_session(session_name) or something similar. Also will the session die after a certain time? Can this time be set etc?

Thanks a bunch! 🙂

ColdFusion

The session only lasts as long as the user has the browser window open.... once they close it, all session data is lost...

So, by closing down the browser, they are in effect destroying their session....although it is always a good idea to make them do a propper sign out...

session_destroy() is a function that does exactly that when a user clicks on a sign out link...

more: http://uk2.php.net/session_destroy

sneakyimp

if you want, you can let php take care of the session id. just calling session_start() will put into motion all manner of php functionality for handling sessions. do this:

<?
phpinfo();
?>

take a peek at the session-related settings like enable-trans-sid or session autostart.

for your pages that want to use sessions, you can just do something like this:


<?
// SID is a constant auto-defined in php for me
// it may or may not be set depending on what
// functions you have called, whether cookies are
// on in the user's browser
// and what PHP INI settings are
echo "SID BEFORE SESSION START:" . SID . "<br>";
session_start();
echo "SID AFTER SESSION START:" . SID;

// the first time this page is loaded, this var should be empty
echo "\$_SESSION['var'] = " . $_SESSION['var'];

// but we put it into session so we can look at it on the next refresh
$_SESSION['var'] = "I can store whatever i want here.";

?>

You'll see that the first time you load the page, SID is undefined before you start the session.

Once you start the session, it contains both the name that PHP is using for your session and your current session id. if enable-trans-sid is on, SID will be automatically appended to relative URL links on your site when cookies don't work so that the session id gets from page to page. if you read about this you will realize that this presents a security risk because session ids can be stolen pretty easily from a URL.

the session variable is empty on the first page viewing.

if you refresh the page, a couple of things should happen:
1) if cookies are on, SID will be empty because the session id is propagated through cookies.
2) if sessions are working properly, your session var should now hold what you assigned on the previous page. it will stay defined until you UNSET it or change it to something else or until your session ends or somehow the session id fails to get propagated.

tommmmm

Thanks for all the useful advice there guys,

I found some really good info on the web that other n00bs might find useful too;

http://uk2.php.net/session_destroy

http://www.oreilly.com/catalog/webdbapps/chapter/ch08.html

tommmmm

So I have my login page set to create a session and set the username and an id into the session.

I can see the username and id while the user travels round the site etc etc. When the user logs out the session gets destroyed and when they close their browse the session gets destroyed.

Is there a way I can get the username to be remembered everytime they vist. I'm thinking when they come back their username should be filled out inthe usernam box of the login form.

Also what is they likelyhood that session data could be mixed up between users etc. I have not named the session anything (I'm not sure if you are meant to or not)

session_start();
$_SESSION['username'] = $u;
$_SESSION['id'] = $id;

Could this code be a problem, it seems rather too simple.

sneakyimp

to retain the user's username, you could store it in a cookie. that's pretty much the only reliable way.

the likelihood of two users somehow sharing data inadvertently is really low. it is most likely to happen if some user has cookies turned off and the session id used by PHP (which is most likely different than your value $_SESSION['id']) must be propagated from page to page by appending it to the url. Depending on your PHP ini settings, PHP may 1) do this automatically and 2) rewrite URLs so that the user never sees it.

The related INI settings can be viewed by using the phpinfo() command. Be sure to check session.use_trans_sid. You might also want to google it.

The reason it's so easy is because a lot of thought and effort went into making php work that way.