I am still new in session
Is it good to wipe $_SESSION before using it?
example:
$_SESSION = array();
$_SESSION['id'] = 1;
$_SESSION['name'] = 'Someone';
I am asking opinion from you guys.
Because I don't have many experience in session.
In my awkward logic,
Maybe I will forgot to logout from admin session
and login to member session
So maybe some $_SESSION value from admin will still in $_SESSION array
Additional:
1. I was admin user and not logout yet from admin page.
2. Now I go from admin page to member login page
What should I do here?
Kick admin to the admin page because he is not member?
Nope. In fact, its really bad and your example code will render your sessions useless.
When you call session_start() you are either given an empty $_SESSION or you get back the data you saved to $_SESSION on a previous page load. For more information on sessions check out the PHP docs:
http://php.net/manual/en/book.session.php
http://php.net/manual/en/function.session-start.php
About logging in and out: Your logout process has to destroy whatever session data identifies the user (probably their ID). Typically this is done by using unset, i.e. unset($_SESSION['user_id']).
I can't imagine any other way to log out a user, maybe if you provided more information I could give you a better answer about this.
Regarding your addition it looks like your authentication system could use some work. You shouldn't be able to get to a login page when you are already logged in (even as admin, since its just another user with higher privileges, right?). If you manually type in the login url after you're logged in, then it should redirect you to the homepage.
Here's Fantastic write-up on this topic, I shoulda done some research! Thanks #HamZa
The definitive guide to form-based website authentication
And here's my super basic pseudo code auth process:
Does current page require authentication
Yes:
Is the user logged in?
Yes:
Does the user have the correct privilages to view the page?
Yes:
AUTHENTICATED! Show page
No:
Print a message that says something like, "You're in the wrong place amigo"
No:
Redirect to login
No:
Show the page
Related
I have a website where members have to login but I noticed after logging out they can simply enter any page url in browser and go back in without using the login form, how do I prevent this.
What I mean is I believe there is a way for me to check if the session is valid on all pages. Even non users can put the url in their browsers and enter without logging in.
Use the SESSION variable in PHP.
session_start();
$_SESSION['login'] = true;
This basically creates a SESSION variable called 'login' which can be used to verify whether a user is logged in.
Now, all you have to do is check the variable like this :
if($_SESSION['login'] == true){
/*GOTO USER PAGE*/
}else{
/*REDIRECT SOMEWHERE ELSE */
}
To create a logout button, to ensure users can't copy-paste the URL again and enter,
session_destroy();
will work just fine.
What you need to do is create a proper login system using something like a session. There are countless tutorials you'll find about this by googling "php login tutorial with session". Here is one of those results.
At the heart of all of these are PHP Sessions, which allow you to store information for a specific client throughout their browser session. To understand sessions in php, here's a basic tutorial
Let me know if these make sense or if you have any questions :)
I'm creating a website and I'd like to prevent the user from logging in twice. How would I do that?
Sorry for not being specific. I meant that I don't want to show the login page once the user has logged in. It looks like the answer about using the $_SESSION is the best option.
I'm using PHP by the way.
You will have to use the session eg $_SESSION. Store user info first on logon and then check if that is set and redirect him to some other page you like like profile, panel or even home page.
See the manual for more information:
http://php.net/manual/en/features.sessions.php
On your login page put a bit of logic that detects if they are logged in. If so, redirect them to their profile page or wherever else you want them to go.
Im not exactly sure how you would do that, but you would have to restrict logins to 1 for every ip address. Is that what you are asking? Please be more clear about what you are trying to ask
What language are you using?
I would create a cookie for the user or set a session if php, then you can just check if the session is set in the header of each page.
Create two cookie one for logged in and other for redirection . use session to find the user login activity ..if user try's for the index.php redirect him to home.php or anyother page
Yes use the isset session feature to check if the user is logged in. If they are logged in then use a header location redirect to redirect the user to whatever page you want them to view.
if(isset($_SESSION['username']) && isset($_SESSION['password'])){
header("Location: members.php");
}
Here is an example of how to do it with sessions using DALMP - Database Abstraction Layer for MySQL using PHP
I have a system that requires the user to login (or register) for an account before they are able to access their Member 'dashboard'.
My question is... at what point so I session_start()? On the login page and the register page? or after the user has successfully authenticated?
Thanks.
You need to include session_start() on every page where you want the session data to be accessible. And it needs to be called before any other output has been done.
As Helge Helwig said,
you need to add session_start() in the top of every page.
However, to make this easier, you can create a PHP document, where
you store all vital code like this, and call it; say init.php.
Then you can include 'init.php' at the top of every page, which would
clean up the code a bit.
Start a session on the page(s) that need to access session data. As part of a successful login, you should also call session_regenerate_id to prevent session fixation.
you can start session once user is authenticated.
after that you can user related information in S_SESSION and access this info from anywhere.
You should start session after verifying user's information, and than you can set user's uid to session variable. which could be useful afterwards in loading user's personal information like profile,preferences etc.
on register page i think you do not need to start session.
Regards
Your session_start() will be called on each and every page that is secure and that is accessed after authentication. You will put the values in session both in login and register pages as they authenticate user. But once the user is verified, now you have to put this function on all pages which needs authentication of the user.
On my website that I'm developing I've already got all my login sorted, and it works correctly, including session saving.
To improve the user's security and privacy I'd like to implement some kind of "confirm your password" page whenever the user requests to view a sensitive page (such has an activity log, or changing some settings) to further prevent against session hi-jacking. I am, however, not sure how to go about doing this.
I'm unsure of the security best practises for this, and as this project site is a learning curve for me, I'd appreciate being taught.
The structure that I think I'm aiming to achieve may be like this: current page --(user goes onto history log)-> Please confirm your password --(user gets the correct password)-> history log page 1 --(user wants the next page of the history log)-> history log page 2 --(user goes to the home page)-> home page --(user goes onto history log)-> Please confirm your password --(user gets the correct password)-> history log page 1
From what I understand about doing this correctly I need to make it so that once the user navigates away from the History Log they're no longer authorized to view it.
If someone could provide some tips on how to do this I'd be greatly appreciated. I've tried to search for some tutorials, but couldn't find any (it's completely possible I chose bad search terms), if someone could even just offer a link to a tutorial then that would be greatly appreciated too.
Thanks, Jordan.
I would simply add a $_SESSION variable for this user that gets reset when he navigates on any page that is not the history log.
Further more, i'd use a general mechanism like this:
On all your pages, set a
$page_section = 'something';
And then, include a small snippet that does:
if(isset($_SESSION['last_visited_section']) && $_SESSION['last_visited_section'] != $page_section){
//New section visited, you could reset $_SESSION['last_visited_section'] or anything relative to your security mechanism here
}
Is that of any help?
If you are concerned about session hijacking, use https and set the session cookie https only.
For confirming a password, ask them to enter it the same way you do for login and check to make sure the hash matches what it is your user table the same way you do for login.
I create an object called $scookie which I use to define how I want my sessions.
session_set_cookie_params(
$scookie->lifetime,
$scookie->path,
$scookie->rootDomain,
$scookie->secure,
$scookie->httponly);
session_start();
In above, when I am concerned with hijacking (anything that has a user login), I make sure $scookie->secure is set to true.
I've scrapped all the tutorials that have never worked for one reason or another, and decided to roll out my own registration/login feature on my own, and to my surprise it actually works!
But what I don't get is how the logic behind keeping somebody logged in works! Like, once they've logged in, do I just $_POST their data to whatever other page they visit and once they're on the new page $_REQUEST that post data from the URL and display a message like: "yeah, you're still logged in"?
I'm a bit confused atm, so I hope this question doesn't confuse you too.
Let us have we have pages like login.php after_login_page1.php after_login_page2.php
You can follow these simple steps
Set $_SESSION['id'] = $userid //userid from db in login.php
always have session_start() in the successive pages like after_login_page1.php, after_login_page2.php
Check if(! isset($_SESSION['id'])){
header("Location: login.php");
}
at the logout.php page give $_SESSION['id']=''; and do a session_destroy()
The easiest imo is to use a session.
Basically this is PHP automatically setting a cookie (or adding a piece to the url, depending your configuration) on the user system and automatically loading it on each pageview. You can then add data to the session and as long as the cookie didn't expire (or was deleted) and/or you don't destroy the session, you will have that data at your disposal on each pageview the user does.
Take a look here for a small intro to sessions: http://www.htmlgoodies.com/beyond/php/article.php/3472581/PHP-Tutorial-Sessions.htm
Once they have logged in you generally have two options. Store their details or an authentication token (something that will help the PHP on the server know who is who) in a session or store it in a cookie. Both have their perks, but you will need to choose the one that works for you.
If you store data in a session, the user cannot access what you have stored, only your code can. This is helpful if you want to store say, their id or username. You can trust that it would always be their id and username, because they cannot modify it.
With cookies, the user can access and modify them because they are stored on their local machines. Because of this, you need to be a bit more sneaky and hash the users details, then verify who it is with some server-side logic. It's a little more complex.
A session implementation might look like this:
session_start(); //Make sure you call this at the top of EVERY page
if($passwordsMatch){
$_SESSION['user'] = $_POST['username'];
}
//Now we have access to $_SESSION['user'] on every page.
On another unrelated page:
session_start();
print "Welcome, ".$_SESSION['user'];
Easiest way is to "keep users logged in" is to use PHP sessions. When you run session_start();, PHP sets cookie with SESSION_ID in users browser so it can identify this user. After that, you can set any data in $_SESSION array which will be saved in session between page requests.