How to create a proper members section using sessions...

bradjtrammell · June 9, 2014, 5:27pm

So I’m now trying my hand at creating a member system using PHP, and Sessions, and I can get sessions working once a person is logged in, but once they navigate away from the page they land on after login, they lose the session. I don’t know anything about sessions, so I’m not sure where I’m going wrong…but here’s my code (i know it may not be proper, but again, it’s just a development script)…

[php]
// login script
$error = “”;
$username = “”;

if (isset($_POST[‘username’]) || isset($_POST[‘password’])) {
if ($_POST[‘username’] == “” && $_POST[‘password’] == “”) {
$error = “Invalid Username and Password”;
} elseif ($_POST[‘username’] == “”) {
$error = “Invalid Username”;
} elseif ($_POST[‘password’] == “”) {
$error = “Invalid Password”;
} else {
// check login
$un = $_POST[‘username’];
$pw = md5($_REQUEST[‘password’]);
//$pw = $_POST[‘password’];
$query = mysqli_query($con,“SELECT * FROM users WHERE username=’$un’ AND password=’$pw’”);
$row = mysqli_fetch_array($query);
if(is_array($row)) {
$_SESSION[“user_id”] = $row[‘id’];
$_SESSION[“user_name”] = $row[‘username’];
} else {
// if not user
$error = “We couldn’t find an account linked with that email address. Please check your login details and try again.”;
}
if(isset($_SESSION[“id”])) {
header(“Location:members.php”);
}
}
}
if (isset($_GET[‘action’]) && $_GET[‘action’] == “logout”) {
session_destroy(‘cookiename’);
header(‘Location: /?loggedout’);
}

[/php]

Any idea how I can continue this session? I’d prefer to do it as a page include on pages that require a login to view…if that makes any sense to anyone.

lol

Strider64 · June 9, 2014, 5:55pm

This is how I do mine, it works pretty good for the most part. Though someone might have a better way of doing it. Here’s it is:

[php]// Start the session:
$seconds = 60;
$minutes = 60;
$hours = 24;
$days = 14;

session_set_cookie_params($seconds * $minutes * $hours * $days, “”);
session_start();[/php]

BTW - Here’s a nice password hashing library from some Egghead from MIT : https://github.com/ircmaxell/password_compat/blob/master/lib/password.php - It’s definitely better than using md5.

bradjtrammell · June 9, 2014, 7:57pm

Well I have my session created (for now i’m happy with it), but my concern is that it’s not passing from page to page in the members only area. How would I accomplish this?

Strider64 · June 9, 2014, 8:33pm

You have to make sure sessions is started for every page (which you probably do), I usually put that in a configuration file (utilities.inc.php) along with other what I call household chores on top of every page.

Plus I have it where it checks the status of the user, once again in my configuration.

For example
[php]$user = (isset($_SESSION[‘user’])) ? $_SESSION[‘user’] : NULL;[/php]

That way I can just check the status of the user and see if the access to that page(s).

[php]if ($user && $user->isAdmin()) {
$pageTitle = “Edit Questions”;
} else {
//Redirect:
header(‘Location:login.php’);
exit;
}[/php]

I’m using OOP style, but this can be easily done using arrays, maybe something like $user[‘accessLevel’]. You would obviously set this when the user logs in.

maybe something like this:
[php]$_SESSION[‘user’][‘accessLevel’] = ‘sysop’;[/php]
with the level being pulled in for the database. I just did it this way to show you an example.