I am creating a login module in php. I am using session variables for that.
On the top of the file, I write
session_start();
Then when my login password is authenticated, I write
$_SESSION["username"] = $_POST["userid"]
now do I need to do something else as well to ensure that the session that got started sustains?? because as soon as it logs in, it logs out automatically? does it mean the session expires as soon as I log in?? In that case what should I do to make the session sustain??
Put session_start(); at the top of page where you will use the session variables.
And be sure you don't unset session in you login script.
No, session is meant to stay between the requests. If you read $_SESSION['username'] on next request, it will contain the data you saved in previous request. Obviously, you need to put session_start(); at the beginning of every page you want to interact with it.
session_start() doesn't start the session, it starts the session engine. It must be run on every page you want to have access to the session on.
You need session_start(); at the top of all files you are going to access Session data in
At the top, put session_start(); also on each page you want to use session, you need this function.
The session sustains as long as you didn't remove the session or close the browser, not sure whether it will expire sometime.
To check whether you are still logged in, you can access the session using $username = $_SESSION['username'];, or the function isset($_SESSION['username']) also helps.
Related
session_destroy() destroys session data but does not unset any of the global variables associated with session or unset the session cookie.
So why should we destroy session?
Can we destroy a session at the end of page each time the session starts in the beginning of that page giving the same functionality without destroying as well?
session_destroy() will delete the session file (if file storage is used). Otherwise the session file will reside on the server until the garbage collection deletes it. So, if you want to make sure that the stored session data is removed from the server you have to call session_destroy().
Do not call this on every page! Only after the user logs out and you do not need the stored information anymore.
Your correct approach should be to run session_destroy, and then reload the page to force the session changing actions (such as cookie deletion) to work and then the session data in PHP reloads and renews upon page reload.
Before running session destroy you should also "manually" clean the session as well so:
<?php
session_start();
if(count)$_SESSION > 0) {
// Or some other more specific cursory check if the session is populated
$_SESSION = array("","","","");
session_destroy();
header("Location: thispage.php");
exit;
}
...
Page continues....
Also please reference this answer as to how to remove session cookies on the client browser.
I have issues related to the session variables and cookies .Whenever i am submitting the form i loose my session variables in the next redirected I have tried everything session_start() at the beginning of each page,and other codes provided in earlier articles .My session is started but then also could not get the session variables in the next page , what i found is that my cookies are not set,is this the problem ? suggest me few ways to set the cookies or get access to my session variables .
Lets Try to use exit like this every where when you are using redirect.
header("Location: /...");
exit();
All the tutorials say to put session start. They don't say if that should be in all pages on the website, or some, or only 1.
And if it's only 1 page, does it have to be the main page? Or a page with a form that I am making that puts the session ID in the database? If the visitor never visits a page with a session id but they are on the site, do they still have a session id?
You need to put this in each page that need to access the session data before accessing (or creating) any session data.
See: http://php.net/manual/en/function.session-start.php
Just for a matter of completeness you can choose to write session_start(); in all pages, in just one or in none of them. Let me explain this.
You need to start session in every script where you need access to $_SESSION variable but instead of putting session_start(); in every single script you can create a file headers.php and put there all your repetitive code including session_start();
If everything in your application needs access to $_SESSION you can forget the use of session_start(); simply setting session.auto_start = 1 in your php.ini file. You will be able to access $_SESSION without writing session_start(); before.
More here
Anything that is going to access Session variables needs to start the session.
So unless you have a php page that is non-dependent on the session than every page needs it.
You need to declare session_start(); in every page if you want to get data from $_SESSION or store data into $_SESSION in those particular page. If you do not need to interact with $_SESSION then you don't have to declare session_start().#hmwhat
A friend of mine starts his Session this way.
<?php
session_start();
session_regenerate_id();
session_destroy();
unset($_SESSION);
session_start();
?>
Are there any security advantages, against Session hijacking etc.
Just wondering why as against the usual session_start();
All you'd need is
session_start()
session_regenerate_id()
That'll start the session and change its ID on each request. However, this will not prevent session hijacking. If the attacker can get the user's session cookie and sent a request back to the server BEFORE the user can, then the attacker gets a brand new session ID, and the user is left with an invalid session token and is effectively logged out.
If this code is found at the top of every page on a given site, there will be no session that is maintained between post backs and different pages. If you want to use SESSION as server-side storage for data that you're not going to use across post backs or multiple pages then I suppose it may be viable, but that would make for a very odd and most likely poorly developed application.
What it looks like your friend may have been trying to do is wipe out any previous SESSION information and then start a new one. Perhaps he is checking against some quantifier and if it evaluates properly then including this in a PHP page? In any case calling Rocket's functions work better.
This code deletes the session then makes a new empty one each time it's ran.
session_destroy();
unset($_SESSION);
This will remove all data in your session, then session_start will make you a brand new one.
You can run this the 1st time to make a new session, but if you want to have the data in the session on other page loads, you just need session_start.
I've scrapped all the tutorials that have never worked for one reason or another, and decided to roll out my own registration/login feature on my own, and to my surprise it actually works!
But what I don't get is how the logic behind keeping somebody logged in works! Like, once they've logged in, do I just $_POST their data to whatever other page they visit and once they're on the new page $_REQUEST that post data from the URL and display a message like: "yeah, you're still logged in"?
I'm a bit confused atm, so I hope this question doesn't confuse you too.
Let us have we have pages like login.php after_login_page1.php after_login_page2.php
You can follow these simple steps
Set $_SESSION['id'] = $userid //userid from db in login.php
always have session_start() in the successive pages like after_login_page1.php, after_login_page2.php
Check if(! isset($_SESSION['id'])){
header("Location: login.php");
}
at the logout.php page give $_SESSION['id']=''; and do a session_destroy()
The easiest imo is to use a session.
Basically this is PHP automatically setting a cookie (or adding a piece to the url, depending your configuration) on the user system and automatically loading it on each pageview. You can then add data to the session and as long as the cookie didn't expire (or was deleted) and/or you don't destroy the session, you will have that data at your disposal on each pageview the user does.
Take a look here for a small intro to sessions: http://www.htmlgoodies.com/beyond/php/article.php/3472581/PHP-Tutorial-Sessions.htm
Once they have logged in you generally have two options. Store their details or an authentication token (something that will help the PHP on the server know who is who) in a session or store it in a cookie. Both have their perks, but you will need to choose the one that works for you.
If you store data in a session, the user cannot access what you have stored, only your code can. This is helpful if you want to store say, their id or username. You can trust that it would always be their id and username, because they cannot modify it.
With cookies, the user can access and modify them because they are stored on their local machines. Because of this, you need to be a bit more sneaky and hash the users details, then verify who it is with some server-side logic. It's a little more complex.
A session implementation might look like this:
session_start(); //Make sure you call this at the top of EVERY page
if($passwordsMatch){
$_SESSION['user'] = $_POST['username'];
}
//Now we have access to $_SESSION['user'] on every page.
On another unrelated page:
session_start();
print "Welcome, ".$_SESSION['user'];
Easiest way is to "keep users logged in" is to use PHP sessions. When you run session_start();, PHP sets cookie with SESSION_ID in users browser so it can identify this user. After that, you can set any data in $_SESSION array which will be saved in session between page requests.