Forum Moderators: coopster
I made a test members system using basic PHP I learnt, and now want to add some more features to it...
It currently is very simple, you enter the username, password and other simple profile information and it is stored in database.
The login process is a simple form that checks details entered against database, however, all it does is allow access to your members area, and then when you navigate round the site it relies upon variables to be added to every link on the page.
example.php?user=wonderboy
This works well, but anyone can just type another persons user in to be recognised as this user, obviously they can't see any important information, as this requires a password (every time) you need to do something of worth.
My question is, how do I modify the system so that once the user is logged in, they can go to different pages and still be logged into their account without the username having to be carried in every link, and how do I allow users to close the window, and then when they come back to not be logged out.
Also, how do I actually allow the user to log out.
I know this has something to do with cookies (does it!?) and would like to give the user the option for username and password to be saved using a checkbox on login, but have no idea where to start in making this...
Sheesh, thats a lot of writing for something so simple.
Hope you understand,
Thanks,
W.
- EVERY page must have a session_start() command before you try to access sessions.
- check the login as you are currently doing.
- once verified, set $_SESSION['user_id'] = primary key of your users table.
Now
if (isset($_SESSION['user_id']) && $_SESSION['user_id'])
{
user is logged in
}
else
{
not logged in
}
This can still be hijacked in that if someone uses a url with a session id as a get parameter and that session is actually active, that person will be treated as being logged in. That's a lot harder to do, though, than just type a user name.
Thanks for replying so quickly.
W.
