I am using sessions to check if the user is logged in. In my project, there are some pages, where session check is not required i.e user can access it without logging in. How I disable session check on selective pages? Instead of writing say session_check on every page that needs session, i want to know if there is a way to implement no_session_check() on selected pages. As the number of pages that require session check are more than pages that do not work. I am using codeigniter. Thanks
First you created the session checking function in library file .. if u want session on that controller just call that library function..
Refer this link:
Related
I am trying to create a website where a user logs in or creates a new account if they are not already a user. I have that working, but what I cannot seem to figure out is how to have PHP or HTML save the username through different pages. A user logs in, and then based on the specific user, my website will show different exercises the user has completed in the past, as well as allow the user to add more exercises in the future. My website uses PHP, HTML, and MySQL to search different tables in my database and output the results.
I have tried many different possible solutions, such as sessions in PHP like this, but it did not work. Each PHP page has this at the beginning:
session_start();
and then further down, I have:
$_SESSION["Username"] = $_POST['Username'];
I have also tried hidden input values in HTML, but that did not seem to work quite right either. Each HTML page has this:
<input type="hidden" name="Username" value="Cbartowski">
I have tried a lot of ways to try to have my web page save the username and use that data throughout my pages, but I haven't had any luck. Would sessions in PHP be the way to go? Or hidden input in HTML? Or something else entirely?
Any help would be greatly appreciated!
First of all, using hidden input to store the username is a critical threat to your website.
One can easily check out the username of the person by viewing the source code.
Using PHP sessions is the way to go here.
What i have understood is that you are initializing
$_SESSION["Username"] = $_POST["Username"];
on every page. Now, consider you have two php pages.
One is form-request-handler.php and other is display-user-preferences.php
Now, when user submits the form the username gets set into session variable using the above code snippet on form-request-handler.php page.
Now, when user hits the display-user-preferences.php page, you again set the value of session variable. But since, no post request has been made to this page so Null is get saved into session variable and you are not able to retrieve the required information from the database.
So, whichever php page is handling the post request just initialize your session variable there and use it on other pages.
Sessions variables will be available to you unless you call
session_destroy();
Hope, this helps :)
html hidden input is not a good way because users can see it with the browser show source action.
are u shure session file are saved and the session ID is include in your links ?
if not sessions start a new session each time the user click a link.
have a look in your temp folder each time your clicking a link; if a new session file is created it's because you forget the session ID.
maybe it's the problem.
Check your form method : Should be POST
Check your variable using:
var_dump($_POST['Username']);
So from experience, its better to use post methods when doing user authentication. Purely for security reasons. In addition to this, using PHP's session variables is also the recommended way of passing user information from one page to another.
if you want to store the user name in the session variable, here are some steps you can follow
start the session using session_start();
name the session variable and store the information you want
$_SESSION['what-ever-you-want-to-call-it']=$what-you want to store
eg.$_SESSION['Username']=$_POST['Username']. Note the use of single quotes
You can now call $_SESSION['Username'] anywhere in a php script provide the session has been started before calling it. That is session_start();.
Note break apart the code your working on and ensure each individual piece works. eg,is the post providing you with the username??
I have a few scripts all linked to the same SQL database, but each one has its own admin.php
I have created links to the other admin.php(s) in the one I would consider the main admin panel.
as it is the same user name and ID how can I get the links to fill and submit the login details so I only have to login on the first admin panel and not each time a click a link to a new one
any help appreciated
You probably want to store some kind of authentication information in session data. Each time you access a script, it will check the session variables for some kind of security token. If it's there, it can use that to determine who has logged-in.
At the top of each PHP script (before you've output any HTML), include a call to session_start(). This will enable session information. You can then read/write elements in the $_SESSION superglobal array.
If you want the browser to remember the login for subsequent visits, you could also use cookie data. Just be aware that cookies are not particularly secure, so don't store usernames and passwords in them directly. Use some a unique encrypted/hashed token instead.
I'm making a CMS using CodeIgniter. I'm using modules to separate the admin part of the site from the normal site. I make use of session to store some data, this is working great but i got 1 problem.
When i login in the Admin panel it makes a session so I know I’m logged in. When I go to the normal site and return to admin and refresh my page I’m logged out. It seems like when I go to the normal site it first clears the session or it overwrite the old session. I think this comes because of the session name used by CodeIgniter.
now my question :p
Is it possible to set different session names for the admin module and the normal site?
I hope I have made myself clear
Best practice if you handle session with db in CI
yes it's possible please use seperate session for both and on logout unset seperate session what session you want to unset.
like you create session for front:-
$this->session->set_userdata('user_account_login',$data);
on logout you need :-
$this->session->unset_userdata('user_account_login');
same for admin but in different var :-
$this->session->set_userdata('admin_account_login',$data);
on logout you need :-
$this->session->unset_userdata('admin_account_login');
I'm working on some website where I need to load session library, but it must be limited only to places on website where it's really useful, not on all. After all that means, the session library must not be loaded on index page. But there is a problem because on index page I need to display user's data if the user is logged in. What can I do to check if the user is logged in, without loading session library or not creating session cookie on index page?
You can't check whether the user is logged in or not if you don't have an active session on your index page.
Your session must exist in every part of the system execution.
Make the session handler always be available but limit the information you store in the sessions instead of limiting locations in the system of where to use sessions at all.
I have a system that requires the user to login (or register) for an account before they are able to access their Member 'dashboard'.
My question is... at what point so I session_start()? On the login page and the register page? or after the user has successfully authenticated?
Thanks.
You need to include session_start() on every page where you want the session data to be accessible. And it needs to be called before any other output has been done.
As Helge Helwig said,
you need to add session_start() in the top of every page.
However, to make this easier, you can create a PHP document, where
you store all vital code like this, and call it; say init.php.
Then you can include 'init.php' at the top of every page, which would
clean up the code a bit.
Start a session on the page(s) that need to access session data. As part of a successful login, you should also call session_regenerate_id to prevent session fixation.
you can start session once user is authenticated.
after that you can user related information in S_SESSION and access this info from anywhere.
You should start session after verifying user's information, and than you can set user's uid to session variable. which could be useful afterwards in loading user's personal information like profile,preferences etc.
on register page i think you do not need to start session.
Regards
Your session_start() will be called on each and every page that is secure and that is accessed after authentication. You will put the values in session both in login and register pages as they authenticate user. But once the user is verified, now you have to put this function on all pages which needs authentication of the user.