I have developed a login page using PHP which is used by teachers and students for log-in.
After login , I can create a session variable to keep him/her logged in until he logs out.
$_SESSION['id']=12;
Now when they log-in for the first time I want them to enter extra information , by providing them with different forms depending on whether he is teacher or student.
Now my question is how will I identify the type of user during his session?
What changes do I need to make in Session variable or what extra information do I need to store?
(I already have created the database with default passwords for all teachers and students and now need to enter extra information from them as I described).
If you can retrieve the user's information on the fly from the database, the best thing to do (if there are only two roles and not extensive permissions) is add a role field to your users table.
Make it a boolean, so that 0 = student, and 1 = teacher.
You would then check for this using an if() statement to decide which form to display, e.g.
if($user_data['role'] == 0){
// Display student form
} elseif($user_data['role'] == 1) {
// Display teacher form
}
You could store this in a $_SESSION['role'] variable if you don't want to have to get this from the database every time you reload the page.
There are numerous ways to achieve this. If you’re storing the user ID in the session, then you can look up the user’s details and permissions based on their ID. So if you have a user_type column in the database table where you store whether the user is a teacher, student, goblin or whatever, then you can check the value of this in your PHP script.
If you need to save the infomations:username,password,teacher or student as flag in session,you can do flow,after log in,you save $_SESSION['username'], $_SESSION['password'], $_SESSION['flag'],then,the sessions will be as string,and saved in session file.
Let's make this easy,
i rather change my database, add one more column named "access" or "privilege",
1 for the teachers and 2 for the student,
you can filter the status, that define which menu should showed up.
Related
I have set up a basic system where users can sign up, login and view their own profile. However, currently their information is displayed on the profile page using a SESSION variable to store their username. All other data is then based on this. However if they then view another persons profile, the information will not be correct because it will alter to show whatever result was pulled from $ session.
How would I create properly functioning profile pages. A good example of what I am trying to achieve would be YouTube. Whenever a user adds a comment, their username is attached, this then acts as a link to their profile.
I don't have any code for this. I wouldn't know where to start.
Because there is no code for me to try and help you out I will give you a few pointers.
First of all don't use the usernames of the users to identify and link them to their profile 2 or more people could have the same username then you are screwed, rather use their id's to uniquely identify them.
Keep the users data that is currently logged in, in the session variables because you don't want to lose this when he navigates away from the browse user profiles page.
If you use the users id's to identify them you can send their id through the url without to much of a security issue. So where you display all the users to view you can create a url that looks something like this href="user_profile.php?user_id=<?php echo $user_id; ?>". Then on the page where you want to view the user profile that has been selected you can use $_GET['user_id']. You can then use the id to get all the details for that specific user by querying the databse for a user with this user_id.
destroy the session while user logout. so you can got proper data
you are using session of username of user which is logged in.
so user who is logged in can view his own profile with session username.
if user want to view profile of another user then there you have two way to perform it.
Create another page to view any user profile. pass username as query string and find user information which you want to display.
or
2-Use same page of user profile for your own and other. and pass the username on this page whose information you want to display.
you have to apply a condition there that is -- if there is set a username pass through post or get method retrieve the information of the passed user. or if not set that retrieve the information of the user which is in session (own information)
Is it possible to edit the session data of a user who has logged in?
Eg. User norman logs in, and the following session cookie is set $_SESSION['addPost']=0
This means a user can add posts. Lets say I want to block that user from adding posts. I need to set that cookie to 1. Can i change the cookie value? Because, untill a user logs out and logs in again, it will not change, and he'll still be able to add posts.
How can this be done?
Do not edit the session variable. There's much better approach for this purpose.
Use one more column in users table named post_access. If you allow Norman to post, its value would be 1, while blocked user will get 0.
Let's say you have blocked a user from posting, so you have changed the value in post_access column to 0 in users table.
Now in the script of your post creation, before posting the data, make a condition if user's post access is set to 1 or not by comparing with the new queried user data from table 'users' using session name of author.
Sample:
$userdata = get( 1 from "users" where user = "$_SESSION['user']"); //don't mind the get function. Use your own QUERIES. Just mind the logic.
$post_access = $userdata['post_access'];
if($post_acess == 1){
//post the data
}else{
//Bro you are blocked
}
This would be most effective way to control posts.
I want to restrict multiple logins of the same user from different locations. How can I identify a user's multiple logins from different locations in the same/recent times? I think some flags and IP checking in a table might be a possible solution, but are there any better solutions?
Update:
I think the session or cookie might help if it for a single machine. Like when users log in for the first time create an activation key and store it, and every other time when users login to that machine, check the cookie value. likewise.
I would resolve something like that by making in user table, a activeKey column. Everytime user is logging in the activeKey is changed ( simple way subchar(md5(time().$username), 0, 16)), and and store it in session. Every time the webpage is refreshed/entered key would be checked. If dosn't match then logout with info. On correct logout key would be set to NULL, so when it could give a flag.
This metod could be combined with IP address, but only IP address could be cheated, same with MAC, and so on.
That is a main idea. There could be additional data like last login date, IP last login date, and so on.
You can have a table containing the IDs and the IP addresses of the users that are currently logged in. Just check against this table everytime someone logs in.
Here's a solution that doesn't require constant database access to work...
(which will avoid the requirement to check the session_id() against the database value every time you request/refresh a page, relieving db/server stress)...
1. On login, grab the pre-existing session_id stored in the DB for this user and do this:
session_id("the pre-existing session id in the database goes here");
session_start();
session_destroy();
2. Then start a new session and save this new session_id to the database, overwriting the previous one. This will logout the previous session on this user if there is one active (effectively logging out the other guy using this account).
Give it a try and let me know if that does the trick!!
NOTE: This is "in theory" as I haven't yet tried it. It's based on this accepted stackoverflow answer. And you should probably manually create the session_id based on something unique to each user, that way you don't wipe out a session that someone else is using that happened to be the same as the session last used by the user you are doing a check for.
I think, just have extra 2 columns for each user - "LastLoginTime" and "IPAddress" in your Users table. If the duration is too short and IPAddress vary then you can give a warning to the user. Additionally you can also inform the City & Country from which the user is logged in.
I would add in the users table an ipAddress column, a LastLogin date column, LogStatus column with boolean values (actually MySQL uses 1/0 for boolean) to check if the user is logged in or not, a Country column (although this could be bypassed by using proxy), and a blockedStatus column, again with 1/0 values, that would check if the user is blocked or not.
Then at log in page, you'd check if the user is logged in then he can't login, if he was recently logged in, and the country is different, then something is happening and you would need to block the account and send a email with a link to unblock the account if the legitimate user was the one logging in.
I am building a social network site, and I am wondering how can I display a interactive tutorial and information on users first login.
Such as only on the first login, users are asked to fill more information on their profile .
How can I achieve this though php and mysql?
Example:
When a user signs up to your website, you can add a field which stores the date of their last login. When that field is still NULL for example - it's their first login.
You could achieve this by simply adding a column to your userprefs table (or whatever you use to store your user-specific settings), with a boolean/int defining whether they've completed the tutorial.
Upon completion (or when the user clicks Dismiss), you set the value for that user to true/1.
I'm trying to implement a "favorites" feature to my site and I was wondering on how to go about storing this data. What I'd like to do if possible is have the user favorite things and store it in the DB - that way I could use the data to personalize search results.
I'm also trying to have it so there is a smooth transition between favorites in a non logged in state to a logged in one (allow the user to save favorites anonymously but if logs in transfer/ask to transfer those to his account)
How would I be able to store this data for long periods of time? I'm currently using DB encrypted sessions and I was thinking of extending the session time or setting it to not expire. That would probably lead me to some security issues no?
I'd appreciate the help,
Cheers.
Well, if i understand, what you want is that a registered user can set "something" as a favorite, since this is a M:N relationship (strictly from a database point of view), i would recommend a table storing these relationships, i.e. Supposing you have a user and a topic table, the SQL would like similar to this:
create table favorite(user_id integer not null references user, topic_id integer not null references topic);
At least this is what most DB books will tell you to do. If you don't have a user table (i suppose you have one for that "something" you want to mark as favorite), you could just store the id you assign to the user whenever s/he logs into the system. Hope to have been of help.
Create actual users out of your anonymous sessions. Persist them in the database without login credentials and associate favorites or whatever else you store with their user ID. If they sign up before they clear their cookies, you just add their login/profile into to the existing user ID and all the favorites they've created are already in the right spot. One system for both logged in and logged out users, not two.