|
|||||||||
|
|||||||||
|
|||||||||
| |
|||
 |
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
| |
|||
|
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Display Modes |
Dev Articles Community Forums Sponsor:
|
|
Get inside! Sample the range of functionality easily built with JMSL Library for Time Series Data Analysis, Heat Maps, Portfolio Optimization, Monte Carlo Simulation, Stock Price Charting and more. Download Now! |
|
#1
August 8th, 2004, 05:06 AM
|
|||
|
|||
|
authentication using sessions - a question
Hello,
I am using sessions to have a restricted area of a site, where users should have access after they authenticate. I am storing usernames and passwords in a MySQL database. I am working with sessions using cookies, which is the default for PHP (I think). I store the userid of my visitor as an element of the $_SESSION array. My question is this: Do we typically have to check at the beginning of every page of the restricted area that the requesting user is authenticated? Meaning, do I have to check at the beginning of every page that $_SESSION[‘userid’] exists in my database? I think: using sessions means that PHP stores a session id in a cookie on the client side and this cookie (and the session id) is checked at every request for a page that starts with session_start(). If a valid session ID is not found, the script will start a new session, however the user will not be authenticated. So, all my scripts that start with session_start() are protected and I do not need to check for anything. Is what I think correct? Thanks for your time daidalus13
|
|
#2
August 8th, 2004, 05:22 AM
|
||||||
|
||||||
|
Not exactly. Using sessions means you can easily pass on variables from one script to another (like a user_id)
In this case, after session_start(), you should check whether the user_id is set in the session, just the presence of the session means nothing. If you don't check, a workaround would be going to a restricted page, not logging in, then going to another restricted page. Though you have not logged in at the first page, the session is still set, because the session_start() is at the beginning of the code. If the next page only checks for a valid session_id, it will let you in without authenticating. So the proper way is to have a simple check function at the start of each restricted page (best do this with an include).
|
|
#3
August 8th, 2004, 06:27 PM
|
|||
|
|||
|
Thanks. It makes sense!
Can I ask you what do you think about the following code ? $sql = "SELECT * FROM users WHERE BINARY userid = '{$_SESSION['userid']}'"; $dbresult = mysql_query($sql); if(!$dbresult) die('Database Error. Please try again later '.mysql_error()); if(mysql_num_rows($dbresult) == 0) die('ACCESS DENIED'); Is this what you have in mind? Thanks again. You helped a lot. daidalus13
|
|
#4
August 9th, 2004, 02:14 AM
|
||||||
|
||||||
|
Looks fine to me, though personally I prefer concatenating my strings properly:
PHP Code:
But that's just me being a nitpicker  Good luck!
|
|
| Viewing: Dev Articles Community Forums > Programming > PHP Development > authentication using sessions - a question |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
