Forum Moderators: coopster
I've searched to learn about sessions and although I think I understand what they are I don't seem to be implementing them right. I'm sure my logic and snytax behind how they work is screwed up. Here's what I am needing to do. BTW, I'm VERY new to PHP (I'm a web DESIGNER) so take it easy on me:-)
- User logs in (I have this part -- mySQL-based)
- After they login I want them to be able to edit their profile, check orders, etc.
I assume I need to somehow set a session (session_start()), set it's id, and set the username and pw as global variables. Then on each page (editprofile.php, orders.php, etc) have a test to see if they are "connected". If not display the login form.
I've read through the session function lists/posts at PHP.net, went through the tutorial at phpfreaks, etc but I'm still not getting it.
The login form submits the data to the same page (action=$PHP_SELF). Which, if successful, calls certain functions to echo the HTML (edit profile, order status, etc links). When do I start the session, when they submit the login form? Also, do i set a session id? What's the differece between $_SESSION and session_register? Also, is there a way (besides logout...session_destroy) to log them out when they leave the site (close browser or otherwise)? Finally, I read about a cookie and non-cookie approach. What's the advantages? BTW, I need this to be pretty secure (eventually it will be ran under SSL (https)).
Please help shed some light on this for me.
Thanks,
Steve
You don't have to set a session ID; the server will generate it automatically. If you wish you can give your session a custom name by using session_name('mySessionID');. Call that function before you call session_start();. The default name is PHPSESSID.
The difference between $_SESSION and session_register is the ease of use, IMHO. $_SESSION was introduced in v. 4.1. Before that, registering a session variable was more complicated:
$foo = 'bar';
session_register('foo');$_SESSION['foo'] = 'bar';Pro's and cons: passing the session ID by cookie means that users need to have cookies enabled. Passing the session ID by URL makes it theoretically easier for malevolent folks to hijack the session ID.
Also, try a site search; there's much more info on sessions around.
I'm sorry but I'm still a bit confused. I start the session at the login page. After a successful login and taking the user to a new page how to I get/set the session ID and pass it to the next page? Should I use the URL (I'd prefer not to use cookies)? Example URL in the href would be "/login/userinfo.php?session_id=fd4fxsd89r34nr438fgfd934mds"? Once the user is on the new page the server would know they are "userXYZ" by the session_id or is this something else I'd need to pass or set? Finally, I assume the session_id is random but how could I keep someone from using someones session_id to have access to their user info?
Sorry, but my PHP (and any server-side language) skills are entry level.
Thanks again!
Steve
> pass it to the next page
I have to refer to the online manual. PHP has one of the best manuals around. There is a chapter Session handling functions , with a section on Runtime Configuration. The relevant settings are session.use_cookies, session.use_only_cookies and session.use_trans_sid.
Security: there is a section on Sessions and security in the online manual.
Hope this helps...
login page: session_start() and if login is successful it sets $_SESSION['username'] = $username.
useraccount pages: session_start(), checks to see if username exists in database. If not it echos a login form.
I didn't have to set or even use session_id(), just a global var of the username. I wonder how secure this is? In the end it will be under SSL (https) which I hope doesn't cause problems with my code :-¦
Is the session_id generated by the server using the users IP? When I login the session_id is always the same. When I login using the computer next to me it's different. So I come to the conclusion the session_id is based on the PC you are on (or maybe IP).
Thanks,
Steve
Is the session_id generated by the server using the users IP? When I login the session_id is always the same. When I login using the computer next to me it's different. So I come to the conclusion the session_id is based on the PC you are on (or maybe IP).
Each session gets a random ID. It is not related to your IP. Maybe you're simply using the same session? Close your browser, or let the session expire. Then log in, and you'll have a fresh ID.
