authentication script and session vars

Forum Moderators: coopster

Message Too Old, No Replies

authentication script and session vars

need to register sessions in db table?

louponne

7:26 am on Feb 11, 2004 (gmt 0)

I've set up an authentification script on a small site I'm working on. There's a MySql table of existing users, and then a login form, and when they login, their id/password are checked against the existing-user table and then their session is recorded in a MySql table of sessions/users. I then check that table every time the user accesses a page on the site.

This is the way most of the scripts I've seen work.

Now I'm learning about session variables - and I'm wondering whether it's really necessary to register my user sessions in a MySql table - why not just use session variables to carry their id from page to page and "recognize" them as a logged in user?

zollerwagner

7:29 am on Feb 11, 2004 (gmt 0)

I use the sessions. It's incredibly easy and seems to work very well. I'd never considered using a dB, but I suppose if you wanted info about user's last log-in that could be useful.

jatar_k

5:02 pm on Feb 11, 2004 (gmt 0)

why not just use session variables to carry their id from page to page and "recognize" them as a logged in user?

That's what I always do, works like a charm. It's definitely not necessary to store session data in a db.

louponne

5:20 pm on Feb 11, 2004 (gmt 0)

ok, thanks a lot you two - goes to show that books are good for a start (that's where I got the authentification scripts), but then you have to dig in and really learn it!

louponne

5:51 pm on Feb 11, 2004 (gmt 0)

ok, I've fiddled with this for a while, and just want to check that I have it right.

I have a login form. When the user enters their id/password, I check them with the table of users, and, if they're in there, I set a $_SESSION['user'] variable.

Then, when the user goes to a new page, all I have to do is check to see if isset($_SESSION['user'])?

That sounds almost toooo simple! I must be missing something?

jatar_k

6:02 pm on Feb 11, 2004 (gmt 0)

if (isset($_SESSION['user']) && $_SESSION['user']!= "")

Just add a check to see if it's set and make sure it's not blank.

and yes it's that simple

louponne

6:46 pm on Feb 11, 2004 (gmt 0)

Thanks, jatar_k - I'm learning! :)

louponne

7:26 pm on Feb 11, 2004 (gmt 0)

ok, I'm back with more questions!

I have this working on my little site, which is already an accomplishment, as far as I'm concerned anyway :)

I thought that in order for the session variables to be "remembered", I had to do a session_start() on every page. But I just noticed that if I click on one of the .htm pages on my site, which of course doesn't have session_start(), I'm still "recognized" when I go back to a .php page -?

Also, what's the lifespan of a session variable? Is it finite? If not, I guess that the session would remain "open" ... as long as the browser is left open, right?

Is there no need to "manually" close sessions at all when you use session variables?