I have a table with colname(INT) which i would like to pass its value to use with my $_SESSION variable
What i want to do:
I want all my protected pages not to viewed more than a certain time which would be determined by the value of a colname(INT) use with $_SESSION.
SOLUTION:
Just to determine/limit how long a user spends on all protected pages active or inactive.
You can try this link
How to set session timeout code in PHP
Also, I don't see a point why you are storing password in session (Register username and password as session variables). You can validate the login credentials from DB and only then store some data about the user in session.
OK as I understood your question you want to restrict a user to view a particular page only for few times.
You can do that by saving the views in database that is OK.
And you want to store the views in $_SESSION as the user login.
You can do that as follows:
if(login = success)
$_SESSION['viewCount'] = mysql_query("SELECT views FROM user WHERE userId=".$username.";");
I hope this will help
Related
I have user information that I stored in array session (only when user successfully login). When I update the user information using my web form, I realized that the user information that stored in session is not up to date with the database value.
Does that mean the session only memorizing those assigned data once till it meet with a function that replacing the data stored in session? So if I want to get the updated data from database, I need to keep re-assigned back the data session?
EDIT
I have this code in my Homepage_controller to fetch user information when they successfully login and store in session.
$_SESSION['user'] = $this->Homepage_model->fetchUser();
Then user will be redirected to profile page which is using different controller User_account_controller and from this controller I used to update user profile and will keep using the $_SESSION['user'] that been set from the Homepage_controller
As I can understand your post you are assigning session variables on login.
While you are logged in you change the data in database and want to update session variables?
If so you need to query database, retrieve new values and assign to session variables again.
how to manage two or more session in a single project?
i have two or more different session to manage for example the login of a user and some action that the user is doing in the site and when user has finished to do the specific action that specific session will be destroyed or unsetted, without logout the user.
A session can contain more than one value. Store the login as something like $_SESSION['user'] = 123 and your action as a different value, like $_SESSION['current_action'] = 'posting to stack overflow'.
Then, you can do $_SESSION['current_action'] = null to clear it out without destroying the session itself and all the other important data in it.
I am building a website that allows user to sign in. I currently have the register & login set up using jQuery -> php(on server) -> db and back, but now I am at lost on how to handle once the user logs in.
For example, if I wanted to call up user's data in member's page, how should I verify that the user is the authentic user? Should I save the id and password as variables/cookies(is it even safe?) and use that to get the user's info in the member's page? Or is there a better way to handle user's data more securely?
I tried looking all over the place but I couldn't find a good place where architecture was explained well so I'm turning to SO for help!
Thanks in advance!
You should check the login status in every page.
During login save the user id in a session variable and use another one simply as a flag namely
$_session['user_id'] = 24; // user id in db
$_session['is_user_logged_in'] = 1; //set a flag
check the value of 2nd session variable in every page
session_start();
if(!isset($_session['is_user_logged_in'] || $_session['is_user_logged_in'] !=1)){
header('location:login.php');
}
I suggest you to write this code in a separate file (login_check.php) and include it in every file
include 'login_check.php'
following this procedure will help you to get login status and id of current logged in user wherever you want.
And in logout page you have to destroy all you session values by using
session_destory();
Abhinav pointed me in the right direction, but just in case someone else stumbles across the same problem, correct starting place is the php session.
http://www.formget.com/login-form-in-php/ - an excellent tutorial on php login with sessions
I would like to make my website to allow only one session at a time. For example, let say user has login to my website on firefox, if the user login again to another browser like opera on the same computer or different computer, the session on firefox will be destroyed. However, the session on firefox remained if it remains as one session. May I know how can I do that? I am using php and apache. Thank you.
Regards.
Benjamin
I'll suggest you to do something like this:
Suppose when user "A" loges in to the "Com_1", for the first time. Save a unique code in the database against that session, and same with the user session.
At the mean time if he (user "A") loges in again on "com_2", then check his status in the database and update the unique code in the database.
again back if same user (user "A") refreshes the page on "com_1", we all you need to do is check the unique code from the session and match it to the database, It is for sure it will not match, then log it out and destroy the session.
For keeping the user loggedin, even if browser is closed, you can store the cookie on the browser, and re-generate the session accoordingly.
Hope this helps. Thank you.
You can use the following algorithm
create an integer field in the databse userLoggedInCount
On each login increment that flag and store the result in the session.
On each request check the value in the database and the one in the session, and if the one in the session is less than the one in the DB, invalidate() the session and decrement the value in the database
whenever a session is destroyed decrement the value as well
Credits to Bozho because he posted this, answering to a question
here
Keep a central database table or text file of who is logged in at the moment. If a user is already logged in in another session, invalidate that session by setting the "logged in" flag to false.
I think you'd have to do something like that :
add a "last_session_id" column to your user table
when a user logs in, update its last_session_id field with its current session id
on each page, if the user has an authenticated session, check if the session id is equal to the one recorded in your database. If not, destroy this session.
Store session id in the database. retrieve last login session id from db, set session id using session_id(oldid) and change session variables related to authentication like $_SESSION['LOGIN']
and destroy the session and create new session with new session id. follow example for logic https://www.php.net/manual/en/function.session-create-id.php.
this will make the last login allowed. validate on each page session variables related authentication. this makes it session invalid because of this session_id reset by a new login.
Save users' IP=>SESSION_ID pairs in a database. When user try to load your page you must compare the actual IP=>SESSION_ID pair then allow/deny if the pair is ok/different.
lets say i have a session called $_SESSION['id_user']
and it stores session of the user id. Lets say that the user profile is www.example.com/profile.php?id=123
if I want to check if that profile is the user and if i do something like
if(isset($_SESSION['id_user']))
{
if($_SESSION['id_user']==$_GET['id']){print something since this is the users own profile}else{print nothing}
}
Is the above code good enought? or is their any security problem? or is it wise to compare GET variable with SESSION variable? its not printing anything that will give user identity away or anything I just want to show a (edit profile button) for the user that is visiting his own profile.
Yes, it is safe - the session is stored on the server and a user cannot change the session data manually. Unless their session is hijacked, then only they will be able to see their own profile.
For piece of mind (and to prevent possible SQL injections I'd just cast the two variables as (int)s before using them (also cuts down on having to write $_SESSION['id_user'] multiple times. I would also use === which checks the variables without any type conversions.
As mentioned in the comments by Thomas, if you've got the users ID in the session already, then unless you need to (differentiate between profiles), just use that and don't send the user ID over GET.