Well, you can use the server-side session info and set $SESSION['username'] and $SESSION['password'] when they log in successfully and run your checks on future pages using $_SESSION information with what's in the db for the user. This way you don't have to pass anything through the url.
This works fine on my website--in fact I even edited an xmb forum to eliminate all references to client-side cookies to use $_SESSION instead. That not only keeps the session info for however long I set it to be in the php.ini, but it also allowed me to log them into the xmbforum areas with the login they used at the website entrance page.
At the top of every page I have it run a function located in my includes file that checks the valid login. I have one function that allows only admin access, and one that allows any registered member to view the page. Here is the code for the function that is called if any registered member is able to view the page (it's lengthy, because it also checks to see if they just tried logging in...) It makes reference to the login function that checks the login against teh db..I'll include that function at the end, too....
function valid_user_check_membersonly($username, $passwd, $page_title)
{
//this function should be used for pages that are accessible to logged in members only
$conn = db_connect();
$page_title = "Welcome To *****!!!";
$result = mysql_query("select webrank from table where username ='$username'");
$result2 = mysql_fetch_array($result);
$i = 0;
if (!isset($SESSION['username'])) //if the user hasn't already successfully logged in
{
//echo "<BR>the session name is not set --this is a test of user_auth_fns. php";
if (isset($username, $passwd)) //if the person has typed in a username and password already...
{
//echo " <BR>The user has typed in a username and password --this is a test of user_auth_fns. php";
if (login($username, $passwd)) //use login.user_auth_fns to check the user/pwd for valid login
{
//echo "<BR>The login was valid--this is a test of user_auth_fns. php";
foreach ( $result2 as $row)
{ $webrank = $row[0];
$i++;
if($webrank == 1)
{
// echo "<BR>Webrank is one and I am logging you in with administrative rights!";
$SESSION['username']=$username;
do_admin_header($page_title);
echo "You are logged in as $username with administrative rights";
break;
}
else //they are in the database with that user/pwd combo, so register the user id
{
$_SESSION['username']= $username;
do_member_header($page_title);
echo "You are logged in as $username";
break;
}
}
}
else // unsuccessful login
{
do_html_header($page_title);
echo "You could not be logged in. ";
echo "<BR>You logged in as $username with password $passwd";
}
}
else //They have not logged in yet....
{
do_html_header($page_title);
// echo "<BR>I am acting that you have not logged in --this is a test of user_auth_fns. php";
$pagecontent = "<p align='center'><font size='5' color='#996633'>You must be logged in to view this page.</font></p>";
display_main_table($pagecontent);
do_html_footer();
die();
}
}
else //They have successfully logged in....
{
foreach ( $result2 as $row)
{
$webrank = $row[0];
$i++;
if($webrank == 1)
{
$SESSION['username']=$username;
do_admin_header($page_title);
echo "You are navigating this site as $username with administrative rights";
break;
}
else //they are in the database with that user/pwd combo, so register the user id
{
$SESSION['username']= $username;
do_member_header($page_title);
echo "You are navigating this site as $username";
break;
}
}
}
} //function close
////////////////////////////////////
// Here is the login function
// it contains some additional checks for members who left our guild
// so they no longer have website access, but we don't want to destroy
// the web account in case they come back later.....that's what auth and webrank
// are for..you can ignore those ifyou don't need a similar function
//////////////////////////////////////////
function login($username, $passwd)
// check username and password with db
// if yes, return true
// else return false
{
// connect to db
$conn = db_connect();
if (!$conn)
return 0;
// check if username is unique
$result = mysql_query("select from *table where username='$username' and password=md5('$passwd') and auth=1");
if (!$result)
{
echo "This is a test of user_auth function login()--Could not return $result";
exit;
}
if (mysql_num_rows($result)>0) //the name is in the database
{
$authcheck=mysql_query("select auth from **table where username='$username'");
if ($authcheck="1") //if name is in database and the authcheck is set to 1
{
$SESSION['username']= $username;
$SESSION['password'] = $passwd;
$SESSION['xmbuser'] = $username;
$SESSION['xmbpw'] = md5(trim($passwd));
return 1;
} //close of if ($authcheck="1")
elseif($authcheck="0")
{
echo "<BR><BR>Your name is in our database but that login does not have the authority to view members-only pages. <BR>This usually because either <BR>1) You have registered an account on the website but your character name has not yet appeared on the in-game guild roster or <BR>2) You were a member of the guild but have left the guild and your account has been suspended..";
return 0;
} //close of else of if ($authcheck="1")
elseif($authcheck="2"){echo "You have previously registered as a member,but seem to have left the guild. Contact Conradin or Voldine in-game to resolve this issue.";
return 0;
}
}//close of if (mysql_num_rows($result)>0)
else //if (!mysql_num_rows($result)>0) --the name is not in the database
{
$page_title="Unsuccessful Login";
do_html_header($page_title);
echo "<BR><BR><BR><font size='6'>Could not find your username in the database. Please try again</font>";
do_html_footer();
die();
// return 0;
} //close of else //if (!mysql_num_rows($result)>0) --the name is not in the database
}//close of function
