Cookieless Sessions & User Login

Here is a very simple demonstration of the beginnings of a login page and user
validation using sessions which do not require cookies to be enabled in the
browser.

These two little scripts are based upon what I learned from

"PHP in Easy Steps" by Mike McGrath (published by Barnes & Noble)
ISBN 0-7607-4786-5
(under $20USD)

Page 120 is "Sessions without Cookies"

There is a way to make an unique session identifier available across
an entire website without requiring the browser to accept cookies.

This method appends the unique identifier to the URL in each hyperlink
to other pages on that website.

In HTML we achieve this as follows:




while in PHP we do something like this:



Past these two small scripts, and save them as session1.php
and session2.php.

Run session1.php

You should see the session ID displayed (a very long number)

If you click on the link and go to session2.php you should see
the count of visits.

But, if you close your browser (which ends the session),
then reopen the browser and attempt to run session2.php
FIRST (i.e. bypass the session1.php script, which is the
beginnings of a login page), then you should see an error
message warning that the secretpassword is not correct,
and a link to return you to session1.php.

If you return to session1.php, and THEN go back to
session2.php, then everything should work normally,
and you can pass back and forth, and see the persistance
of the variable $count, as it increments with each visit.

Each php script must have session_start(); as its first line.

The example in the Mike McGrath's book, on page 121 omits
session_start(); in the session2.php script, and it does work
fine in his example, but my modified example would not work
until I added session_start(); as the first line.

Since I am also a beginner, teaching myself PHP, please
do offer suggestions and/or corrections to this post.


Initially, I keyed in a simple, modified version of the book's
two examples.

I wanted to demonstrate certain things to myself.
I wanted to always be able to display the session ID.

To my surprise, I noticed that if I started with session1.php
then the SID which I saved persisted between the two scripts.
However, if I launched session2.php first from the browser,
which should test as invalid in password, I noticed that the
SID no longer displayed in either script. I cannot account
for this behavior, but I did succeed in capturing the SID
in a variable so that I could display it in either script.

I discovered that each time one registers a session variable,
it is re-initialized, so one must be careful to initialize
only once.

I then added session.htm as a simple post, to pass a
password to session1 from user input, so that one might
test the behavior of a correct and an incorrect password.
You will notice that the variable $cpassword only has a value
upon the first call to session1.php from session.htm

As you bounce back and forth between session1.php and
session2.php, the $cpassword is no longer initialized.

Also notice that the session persists until you close your
browser. So, if you want to try something different, you
must close your browser and then re-open it.

I experimented with the no-cache option, but it does not
seem to make any difference in behavior (i.e. it does
not somehow force a reload of the script such that the
session would be a new session.

I have just received this useful advice from IRC #phpfreaks - I must now study up on $_SESSION so that I may implement this suggestion in my example scripts.

==========
(from IRC #phpfreaks)

You should really assign session variables to $_SESSION, not use session_register(). not only is it faster but it will also work accross more enviroments. certain people trying your example there may not be able to use it.

I did a google search to see if anyone warns against using session_register over $_SESSION, as I was advised in IRC
#phpfreaks channel.

I did not find any warnings so far, but the following URL tells me something I wanted to know about
how to destroy a session.



http://www.phpnull.com/showthread.p...goto=nextoldest
Let's say for example that you wanted to create a part of your site which is only visible to logged in users. You can use sessions to do this. Take a look at the code below.

Eg:
PHP Code:


Ok, let's break down the code above.

The first thing we do, is check to see if the global session variable logged_in is registered for the user viewing the page. If it is not, the page terminates and an error message is shown to the guest.

PHP Code:



Next, we check the value of the global session variable logged_in, and if it doesn't equal yes then the page terminates in exactly the same way.

PHP Code:



By this point, we have stopped all users who have no logged_in session information, and all users who have another value for the logged_in session information. This is just to make sure that there is no getting around the block for "ordinary" users. This now means that the only users still viewing the page are the ones who are logged in, so you can continue to output your page normally.

Checking whether a session is registered
As mentioned above, the function session_is_registered(); will check to see if a global session variable exists. The syntax is:

Code:


How do I find use each sessions unique id?
Every user session is identified by a unique session id, which is usually just a long string of numbers and letters such as c0eb8989e012b537b86bf68686e139b7. You can use this session id simply by calling the function session_id();

Eg:

PHP Code:


Unregistering session information
If you want to unregister a global session variable without completely destroying the session, you can do so by using the session_unregister(); function. The syntax is:

Code:

For example, when a user logs out, you could destroy the logged_in session variable by using this code:

PHP Code:





Destroying a session

You can completely destroy a session by using the session_destroy(); function. For example, the following script would completely destroy the active user session:

We may take what we have learned about sessions and
use it as a foundation for a user login password validation
routine.


Let's create a simple html post form to pass nick, email and password to a
php validation script, which we have yet to write




userlogin.php has not been written yet, but the following shows how it might
look for the user in a user table, and test for a valid password.

We might start with the simple beginnings of a script to show
that our submit form is working and that we can access
the variables which it passed



OOPS!! PHP does NOT have a password() function! Only MySQl has a password() function.


Creating a user table and adding one test record




Exploring the MySQL password() function.

PHP has no password() function to correspond to the MySQL password() function.

One simple minded way to access the password() in php would be to use a
mysql update command to write a password to a field, and then read it back.

Of course, the idea of password() is that the user has privacy, and not even the
webmaster knows the actual password. But for educational purposes, it is interesting
for us to look at what the mysql password() function generates.

User/Password Validation


Here is a userlogin.htm with default valid test values






Here is a slightly more elaborate userlogin.php

Let's add some more fields to our user table and capture some information
about users who validate.





===========================

Now, let's capture some information about users who validate: