Sessions request

scrupul0us

It seems like im ALWAYS patching my sessions "code" b/c its either funky or redundant and i really have never spotted a clean, secure way of doing it, so im asking for your help... can someone do me a favor and post a dirty 3 page setup for simple sessions... im not looking for HTML and a form and all that, but im looking for well formed and secure php for doing it

maybe someone has a base script they work with for every sessions project they make/use

im looking for something in the realms of:

index.php (whered ud login)
members.php (protected page)
logout.php (the logout action)

or if you can refer me to a site (that hopefully i havent already seen, caus ive googled my heart out) that would be nice as well

NogDog

Rather than having a separate login page, I put everything for logging in, logging out, and verifying if the user is already logged in into one include file, then simply require() that file at the beginning of each page that needs access control. I don't have at my fingertips a database-driven file I can share right now, but you can take a look at my flat-file version to get an idea what I'm talking about.

scrupul0us

not bad... useful and lightweight

Tyree

Oooo, I'll have to look into squishing my code down to one file. Right now I use 3 files. login.php, logout.php and a session.php that is required by each page.

Here's the code if you're curious....by all means...rip it apart and tell me what's wrong with it!

It also has a "previous page" functionality so that if the user tries a direct url request then they will be sent back to that page after login. Kinda convenient.

session.php:

<? 
session_start();

function performQuery($query)
  {
     $status = mysql_query($query);

 if ($status)
 {
   return $status;
 }
 else
 {
    $message =  "The following error was encountered:" .
                "<p>" . $query .
                "<p>" . mysql_errno() . ": " . mysql_error();

    die($message);
    exit;
 }
  }

if ($_SESSION['userName'] && $_SESSION['passWord']){

$query = "SELECT * FROM users WHERE UserName='".$_SESSION['userName']."' AND Password='".$_SESSION['passWord']."'";
	$result = performQuery($query);

if (mysql_num_rows($result) > 0) {

	$userName = $_SESSION['userName'];
	$password = $_SESSION['passWord'];
	$userID = $_SESSION['userid'];
	$userGroup = $_SESSION['group'];
	$sessionID = $_SESSION['sessionID'];

} else {
	$_SESSION['prevPage'] = $PHP_SELF;
	header('location: login.php');
	exit;
}

} else {
$_SESSION['prevPage'] = $PHP_SELF;
header('location: login.php');
exit;
}
?>

<?php
session_start();

function performQuery($query)
  {
     $status = mysql_query($query);

 if ($status)
 {
   return $status;
 }
 else
 {
    $message =  "The following error was encountered:" .
                "<p>" . $query .
                "<p>" . mysql_errno() . ": " . mysql_error();

    die($message);
    exit;
 }
  }


//Check to see if user is already logged in.  If so, send user to the main page
if ($_SESSION['userName'] && $_SESSION['passWord']){

$query = "SELECT * FROM users WHERE UserName='".$_SESSION['userName']."' AND Password='".$_SESSION['passWord']."'";
	$result = performQuery($query);

if (mysql_num_rows($result) > 0) {

	header("Location: index.php");
	exit;	
}
}

//If user has submitted the login form
if ($_POST['Submit']) {

//Initialize form vars
$userName = $_POST['userName'];
$password = md5($_POST['password']);

//Check for completed form
if (!($userName) || !($password)){
	$___m = "Please complete the form.";

} else {

	//Check db for user
	$query = "SELECT * FROM users WHERE UserName='$userName' AND Password='$password'";
	$result = performQuery($query);
	$row = mysql_fetch_assoc($result);

	if (mysql_num_rows($result) > 0) {

		$_SESSION['userName'] = $userName;
		$_SESSION['passWord'] = $password;
		$_SESSION['userid'] = $row['ID'];
		$_SESSION['group'] = $row['UserGroup'];
		$_SESSION['sessionID'] = session_id();

		//Did the user get redirected from a direct url request?
		if ($_SESSION['prevPage']){
			$location = $_SESSION['prevPage'];
		} else {
			$location = "index.php";
		}

		//Send user to main page or a previous page (if applicable)
		header("Location: ".$location);
		exit;

	} else {
	$___m = "No user matches that information.";
	}
}
}
?>

logout.php:

<?php
include ('session.php');

//End Session
session_unset();
session_destroy();

$___m = "You have been logged out."
?>

Like I said...let me know how awful it is everyone! It's my first attempt at a login, so I know there's bound to be a better way!

If it's tight, then scrupul0us, it's all yours, bud! 🙂

Thanks!
Matt

scrupul0us

it just seems like im trying to reinvent the wheel when i try to do authenticated sessions... there has to be a solid sound way to facilitate it

so far that flat file idea isnt too bad... but no one has critiqued it yet

the only problem with that is if u want to inject that form into a page... nothing after the require comes up...

Tyree

the only problem with that is if u want to inject that form into a page... nothing after the require comes up...

"THAT" as in NogDog's script? Or did you mean mine?

rupertbj

Guys - i got mine to work so perfectly now. the key parts are:

index.php

session_start();
unset($_SESSION['username']);
unset($username);
session_destroy();
$_SESSION = array();

then the rest of the page including a log-in form posting data to login.php

if (!$_POST['username'] || !$_POST['password']) { include("badUser.php"); exit; } 
    else {
        include("mysql.php");
       	$result = mysql_query( "SELECT * FROM fotoUsers WHERE username='$username' && password='$password'");
		$num_rows = mysql_num_rows( $result );
        if ($num_rows != "1") { include("badUser.php"); exit; }
            else {
					session_start();
					$_SESSION["username"] = $username;
	                mysql_close( $link );
					include("main.php");
				 }
		}

main.php (the page i want to display to members) is called if the log-in is successful.

main.php

print "<p class=menu>Logged in as: $username | <a href=\"index.php\">LOG OUT</a></p>";

this line is in main.php at the top. It shows who you are logged in as. you can also log-out (which takes you back to index.php and clears the session and var).

and finally you need to authenticate every page that is to be protected:

validate.php

session_start();
if ( isset( $_SESSION[ 'username' ] ) && ( $_SESSION[ 'username' ] = $username ) )
	{
	}
else
	{
	include("badUser.php");
	exit;
	}

This is called as an include at the beginning of every new page.

I hope that this helps?