Msg#: 4419867 posted 4:40 am on Feb 21, 2012 (gmt 0)
I have a login script with a session. I want to get user data like email, username, first name to echo in paragraphs on a members page.
How can I detect what user is logged in and retrieve their individual data from their member name in my database? Do I get it from the session some how? I assume I have to get their unique id from the database from the session somehow?
Msg#: 4419867 posted 12:28 pm on Feb 21, 2012 (gmt 0)
You could use the PHP sessions, a cookie with an identifier etc for keeping track of a visitor. When the user is registered or logs in, you can setup an identifier with the session/cookie following validation and after creating a database record. When the visitor's browser makes a new request to your pages it will send the cookie which you can cross reference the info with the database record. You will need a db sessions table in your case or some other storage medium.
The basic steps for processing a request are:
1. Check if the cookie is set and valid 2. Check if the cookie value exists in the sessions db table 3. Process the request taking into account it's a registered visitor when applicable
If you use a custom cookie/session you will need to create and send the cookie header yourself, expire sessions, write the session identifiers to the db etc.
You can see the php session functions here along with various examples. [php.net...]
Msg#: 4419867 posted 9:04 am on Feb 23, 2012 (gmt 0)
Yes it is possible, but not used often. You create a unique identifier which is appended with the URLs and stored in the db. When a page request is made you check the identifier against the db record for a match. The db record contains the session data which you can then process.
This was used in the past on hosts with a shared SSL as during the transition between secure and non-secure pages the domain is different and another cookie needs to be sent for the secure domain. It's not a preferred method as the identifier is exposed with the links for the session lifetime, thus it can be hijacked.
Msg#: 4419867 posted 10:42 pm on Feb 29, 2012 (gmt 0)
Why bother referenceing the database whenever you want the info and stashing extra info in it for the purpose?
I do this all the time with a simple script I nicked from a tutorial and don't profess to be any kid of expert as said script has casued me grief (sorted now) but if you require a person to log in then your login script will check the members table for username, user email, ID etc etc
once that's done you can pass all that to session variables with
Msg#: 4419867 posted 9:58 am on Mar 1, 2012 (gmt 0)
or have I missed something?
Yes first of all you need the session identifier somewhere stored after you generate it. If you neglect it, the default PHPSESSIONID can contain any identifier let alone the name is well known. For instance the browser can set a cookie of PHPSESSIONID to 1 and your code will accept it as it stands. So you need to validate the identifier with each request especially if your domain holds personalized info. You could use session_regenerate_id right after the login is processed to create a new identifier right after the login takes place and store the new one.
And because the sessions have quite some differences between PHP versions and host environments I use totally custom ones.