Prelude:
Since serveral people asked me in the last couple of days about 'User Identification and Authentication With PHP Sessions',
I decided to write this quick tutorial...
Basic Idea:
A session allows you to store information about a current visitor,
without having to pass it from page to page via get or post.
Like wether (and what) user is logged in, and what rights he has.
Simple Usage:
Most of you have a standard 'header' file that you include at the top of every page. Before printing anything, you
should call session_start(). That will generate a random id for your session, which will be stored with a cookie(*) on the users
machine. A session is usually existant about 15 minutes after the last page-load of a user, though this value may have been
changed on your server (in the php.ini, actually).
If session_start() detects that the user already has such an id, it will see if the corresponding session is still existant
(ie. did not time out yet) and restore that.
Once you have a session, you can store just about any php variable in it. The major exclusion are 'resources',
for example the result of mysql_query().... Usually, you wouldn't want to do that anyhow.
To store something in the current session, you would use $_SESSION['aName'] = $myVar;
Get it back by using $_SESSION['aName'], on any page that has called session_start(). That's about it.
QuickExample, basic user authentication:
code:
<?php
//this must be before any printing is being done, inside or outside of the php tags.
session_start();
if (isset($HTTP_POST_VARS['user']))
{
if (doUserAndPasswordMatch($HTTP_POST_VARS['user'],$HTTP_POST_VARS['password']))
{
loginUser($HTTP_POST_VARS['user']);
}
}
if ($myUser = getCurrentUser())
{
print 'You are logged in'. $myUser;
}
else
{
print 'You are not logged in.<br>';
printLoginForm();
}
function printLoginForm() //void
{
print "<form method=\"post\" enctype=\"multipart/form-data\" action=\"{$_SERVER['PHP_SELF']}\">"; //phpself is the complete url of the current file...
print '<input type="text" name="user" value="">';
print '<input type="password" name="password" value="">';
}
function getCurrentUser() //string(username), or False
{
if (isset($_SESSION['username']))
return $_SESSION['username'];
else
return False;
}
function loginUser($user) //:void
{
$_SESSION['username'] = $user;
}
function doUserAndPasswordMatch($user,$password) //:boolean
{
//You'd probably replace that with a database lookup...
return ((stringToLower($user) == "shu") && ($password == "sha"));
}
?>
Appendixes:
(*) - There's a setting in php.ini, which if activated, will also transmit the session ID by appending it to post and get requests.
If that's not activated on your server, but you need to send it out,you can get the current session name with session_name()
and the session id with session_id, and send it via post for example with a hidden field: <input type="hidden" name="<?=session_name() ?>" value="<?=session_id() ?>">
PostPosting:
All, and any, feedback is appreciate, before this baby goes into the faq.
I'd be especially happy if someone could tell me once and for all wether to spell 'logged in' with one, or two.
Ps: I hope the tabs make it.
PPs: I really hope the tabs make it ;-)
Edit PPPs: They didn't. had to [ code ] the whole thing...
Edit 2, PPPPs: That looked much worse.
so long,
Tyberius Prime
[This message has been edited by Tyberius Prime (edited 06-12-2003).]