General login scheme check

Hi,

I'd like to know if this methodology of users logging in and out is correct in the sense of session use. I'm following a book that's two years old and am trying to incorporate the method of logging in by the user clicking on an activation link from an activation email I send them. Is this layout ok? What could go wrong with it? It is in pseudocode, please let me know what you think. What are the implications of calling session_start() from the two different script files?

<?php

    // ProtectedMemberPage.php
    session_start();

    // If $username and $password are posted from Login.php..
    if ($username && $password) {
        if (CheckDatabaseIfLoginOk($username, $password)) {
            $_SESSION['ok_user'] = $username;
        }
        else {
            exit();
        }
    }

    if (!isset($_SESSION['ok_user'])) {
        // Failed login, go back to Login.php.
        exit;
    }

    echo "You are viewing the protected page as user: " . $_SESSION['ok_user'];
    echo "No other user should ever be able to see this page.";

?>

<?php
   
    // ActivateUser.php
    // This script is meant to be called from an email I send a registered user. It 'activates' their account. The
    // link sends them directly to this page, checks the post data, activates their account if valid, then I want to
    // immediately log them in and send them to ProtectedMembersPage.php.
    if ($posted_activation_key_from_email_link == OK) {

        if ($username = LookupUsernameFromUniqueActivationKey() == OK) {
           
            session_start();

            $_SESSION['ok_user'] = $username;

            ?>
            <head>
            <script>
             // Send them to the protected member page:
             location.replace("ProtectedMembersPage.php");
            </script>
            </head>
            <?php
        }
    }    
?>
LVL 7
minnirokAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TomeeboyCommented:
You'll probably want to use $_POST['username'] and $_POST['password'] when checking the login credentials passed via the login.php form.

As for using session_start() on the two different pages, that should be fine.  When you call that function, if will first see if there is already a session open for that user (usually based on the session cookie, unless you're passing session IDs via the URL) and will use that existing session if there is.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BogoJokerCommented:
1. Where do you define CheckDatabaseifLoginOk()

2. Your code:
> if (!isset($_SESSION['ok_user'])) {
>    // Failed login, go back to Login.php.
>    exit;
That middle line can be:
header("Location: Login.php");
That will make the page redirect to the login page.

3. Where do you define the variable here: $posted_activation_key_from_email_link == OK
    Same with $username and $password in the first code example.

Joe P
minnirokAuthor Commented:
Hi Bogo,

1. Its actuall a few lines I do right there - I just called it CheckDatabaseifLoginOk() to compress into pseudo code. I really just check the sql database to see if there is a user + password combination that matches what the user entered in the input form.

2. Yeah I have something that makes the page get redirected, but I like your way better, thanks.

3. $posted_activation_key_from_email_link  comes from the, hmm, page request address? Don't know what else to call it. I send the user an email like:

    Click this link to activate your account:

    http://localhost/mysite/ActivateUser.php?activate=1&key=abcdefg

So the user clicks the link and gets directed to that ActivateUser.php script. $posted_activation_key_from_email_link  is taken from the 'key' parameter in the address. I look in my user table to see if there is a key with that value. If there is, I 'activate' that user, and also grab it's $username + $password.

Then I just log them in automatically and send them to the members page, with the session already started.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.