General login scheme check

Hi,

I'd like to know if this methodology of users logging in and out is correct in the sense of session use. I'm following a book that's two years old and am trying to incorporate the method of logging in by the user clicking on an activation link from an activation email I send them. Is this layout ok? What could go wrong with it? It is in pseudocode, please let me know what you think. What are the implications of calling session_start() from the two different script files?

<?php

    // ProtectedMemberPage.php
    session_start();

    // If $username and $password are posted from Login.php..
    if ($username && $password) {
        if (CheckDatabaseIfLoginOk($username, $password)) {
            $_SESSION['ok_user'] = $username;
        }
        else {
            exit();
        }
    }

    if (!isset($_SESSION['ok_user'])) {
        // Failed login, go back to Login.php.
        exit;
    }

    echo "You are viewing the protected page as user: " . $_SESSION['ok_user'];
    echo "No other user should ever be able to see this page.";

?>

<?php
   
    // ActivateUser.php
    // This script is meant to be called from an email I send a registered user. It 'activates' their account. The
    // link sends them directly to this page, checks the post data, activates their account if valid, then I want to
    // immediately log them in and send them to ProtectedMembersPage.php.
    if ($posted_activation_key_from_email_link == OK) {

        if ($username = LookupUsernameFromUniqueActivationKey() == OK) {
           
            session_start();

            $_SESSION['ok_user'] = $username;

            ?>
            <head>
            <script>
             // Send them to the protected member page:
             location.replace("ProtectedMembersPage.php");
            </script>
            </head>
            <?php
        }
    }    
?>
LVL 7
minnirokAsked:
Who is Participating?
 
TomeeboyCommented:
You'll probably want to use $_POST['username'] and $_POST['password'] when checking the login credentials passed via the login.php form.

As for using session_start() on the two different pages, that should be fine.  When you call that function, if will first see if there is already a session open for that user (usually based on the session cookie, unless you're passing session IDs via the URL) and will use that existing session if there is.
0
 
BogoJokerCommented:
1. Where do you define CheckDatabaseifLoginOk()

2. Your code:
> if (!isset($_SESSION['ok_user'])) {
>    // Failed login, go back to Login.php.
>    exit;
That middle line can be:
header("Location: Login.php");
That will make the page redirect to the login page.

3. Where do you define the variable here: $posted_activation_key_from_email_link == OK
    Same with $username and $password in the first code example.

Joe P
0
 
minnirokAuthor Commented:
Hi Bogo,

1. Its actuall a few lines I do right there - I just called it CheckDatabaseifLoginOk() to compress into pseudo code. I really just check the sql database to see if there is a user + password combination that matches what the user entered in the input form.

2. Yeah I have something that makes the page get redirected, but I like your way better, thanks.

3. $posted_activation_key_from_email_link  comes from the, hmm, page request address? Don't know what else to call it. I send the user an email like:

    Click this link to activate your account:

    http://localhost/mysite/ActivateUser.php?activate=1&key=abcdefg

So the user clicks the link and gets directed to that ActivateUser.php script. $posted_activation_key_from_email_link  is taken from the 'key' parameter in the address. I look in my user table to see if there is a key with that value. If there is, I 'activate' that user, and also grab it's $username + $password.

Then I just log them in automatically and send them to the members page, with the session already started.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.