PHP Sessions to Authenticate User on Login Form

php sessions to authenticate user on login form

what about using this to setup session 

session_start();
if( isset($_POST['username']) && isset($_POST['password']) )
{
    if( auth($_POST['username'], $_POST['password']) )
    {
        // auth okay, setup session
        $_SESSION['user'] = $_POST['username'];
        // redirect to required page
        header( "Location: index.php" );
     } else {
        // didn't auth go back to loginform
        header( "Location: loginform.html" );
     }
 } else {
     // username and password not given so go back to login
     header( "Location: loginform.html" );
 }

and at the top of each "secure" page use this code:

session_start();
session_regenerate_id();
if(!isset($_SESSION['user']))      // if there is no valid session
{
    header("Location: loginform.html");
}

this keeps a very small amount of code at the top of each page instead of running the full auth at the top of every page. To logout of the session:

session_start();
unset($_SESSION['user']);
session_destroy();
header("Location: loginform.html");

Using sessions & session variables in a PHP Login Script

Begins the session, you need to say this at the top of a page or before you call session code

 session_start();

put a user id in the session to track who is logged in

 $_SESSION['user'] = $user_id;

Check if someone is logged in

 if (isset($_SESSION['user'])) {
   // logged in
 } else {
   // not logged in
 }

Find the logged in user ID

$_SESSION['user']

So on your page

 <?php
 session_start();

 if (isset($_SESSION['user'])) {
 ?>
   logged in HTML and code here
 <?php

 } else {
   ?>
   Not logged in HTML and code here
   <?php
 }

PHP Session to authenticate user access to pages

Using the MySQL API to count the number of rows in a result-set appears to be a popular approach but also the source of endless questions here. I suggest you actually try to fetch a row and:

  1. If row found, user is valid

  2. Otherwise, it isn't

That also allows to grab other user details you might want to use/display such as user profile, full name, etc. In fact, even username should be displayed as stored in DB rather than as typed in last login.

Your code could use some improvements but I'll give you a piece of advice I consider particularly useful: drop your current learning material (on-line tutorial, book, whatever), which is extremelly outdated and probably not good in the first place, and find something better. At least something that uses PDO, prepared statements and password_verify(). Life's too short to learn things you don't need.

advanced user authentication using sessions

In my understanding, You already have a working code. And what you are asking is opinion. You want to remove duplication in each page of checking into database for authentication and subscription.

In my opinion, you need to change how you use sessions ,

 $_session['email']        // email address of user 
 $_session['auth_type']    // holds authentication type
 $_session['auth_till']    // subscription expire date

Then lets create function to check subscription. This function can be put into a separate file for example: init.php. Here we can put session start mechanism so that in any case sessions will be available.


if(!isset($_SESSION)) 
    session_start();       // start session if not already started

// lets define global vars to hold authentication type of visitor
define("SUBSCRIBED",1); 
define("UN_SUBSCRIBED",2);
define("REGISTERED",3);
function checkSubscription():bool{
    $return = false;
    if(($_session['auth_type']==SUBSCRIBED)&&(strtotime($_session['auth_till']) < strtotime("now")))
        $return= true;
    return $return
}

And on login.php use same technique, while setting up sessions authentication type.

Now any other page can simply use function to check subscription

for example:

<?php
// file: product.php
include_once("init.php");
if(!checkSubscription()){
    // subscription finished. do what you need to do. otherwise continue.
}

There are many improvements that can be done to your codes. But i think this would meet your needs. Please let me know if you need any further assistant. Please visit Scape and let me know if any useful coding available there.

Create a session after login authentication php

Just add php session in your code :

session_start();
if($hashed == $allRows[0]['password']){

    $_SESSION["login"] = true;
    $_SESSION["username"] = $_username;
    return true;
}else{
    $_SESSION["login"] = false;
    return 'Incorrect Password!';
}

And check the session in your home-page.php

<?php
session_start();
if($_SESSION["login"]!=true){
    //Link to login page
}else{
    echo $_SESSION["username"];
}
?>

Hope it resolve your problem

PHP login and $_SESSION

When the server receives a HTTP request, a Session ID is generated by the server and is sent back to the browser. The browser stores the Session ID in a cookie so it can re-use it. The ID forms the link between the browser and server, so that the server can identify subsequent requests as coming from the same browser.

The browser then sends that Session ID to the server (in a HTTP header) in every request the browser makes to the same server. PHP uses that ID to find the right session data for that ID in its storage. The actual session data is private and never leaves the server. Only the ID goes to the browser.

All of this means it's impossible for two users to share the same session data, because each session ID is unique. (It would technically be possible to steal another user's session ID if they were using an insecure HTTP-only connection to the server and you were able to monitor their network traffic, or even with HTTPS using a man-in-the-middle attack, but that's a whole other topic.)

If you close the browser, the session cookie is destroyed, by default. Therefore when you re-open the browser and go back to the same website, it will send a request without a session ID and will be given a new session ID by the server.

The other thing that would cause a new session to occur is if the session times out on the server. The server will have a session timeout value. It records what time a session was started and when the last request was made using that session ID. If no requests occur using a given session ID for timeout minutes after the last one, then the session ID will be destroyed and the browser will be given a new session ID next time a request occurs, regardless of whether it sent the previous one or not. This is usually why you find you're logged out of a website if you don't use it for a few minutes.


Related Topics

How to Send JSON Response in Symfony2 Controller

How to Convert Between 12 Hour Time and 24 Hour Time in PHP

Changing the Add to Cart Button Text in Woocommerce for Items with Variations

How to Pass Param from Controller to Layout in Yii2

A Restful Persistence Solution Usable with Backbone.Js... in PHP

PHP - Iterate on String Characters

Wordpress Host Ip Changed

Php: What's the Point of Upload_Err_Ini_Size

Email PDF Attachment with PHP Using Fpdf

How to Only Use Created_At in Laravel

Creating New Laravel Project via Composer Fails with Error Class Arrayloader Not Found

Generating a Waveform Using Ffmpeg

5.4 Dereferencing to Valid 5.3 Array Call

Cannot Call Function SQLsrv_Connect()

PHP Upload and Resize Image

PHP Sessions Login with Remember Me

Is It Important to Verify That the Uploaded File Is an Actual Image File

PHP - Get the Size of a Directory


Leave a reply



Submit