We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

General login scheme check

minnirok
minnirok asked
on
Medium Priority
249 Views
Last Modified: 2010-08-05
Hi,

I'd like to know if this methodology of users logging in and out is correct in the sense of session use. I'm following a book that's two years old and am trying to incorporate the method of logging in by the user clicking on an activation link from an activation email I send them. Is this layout ok? What could go wrong with it? It is in pseudocode, please let me know what you think. What are the implications of calling session_start() from the two different script files?

<?php

    // ProtectedMemberPage.php
    session_start();

    // If $username and $password are posted from Login.php..
    if ($username && $password) {
        if (CheckDatabaseIfLoginOk($username, $password)) {
            $_SESSION['ok_user'] = $username;
        }
        else {
            exit();
        }
    }

    if (!isset($_SESSION['ok_user'])) {
        // Failed login, go back to Login.php.
        exit;
    }

    echo "You are viewing the protected page as user: " . $_SESSION['ok_user'];
    echo "No other user should ever be able to see this page.";

?>

<?php
   
    // ActivateUser.php
    // This script is meant to be called from an email I send a registered user. It 'activates' their account. The
    // link sends them directly to this page, checks the post data, activates their account if valid, then I want to
    // immediately log them in and send them to ProtectedMembersPage.php.
    if ($posted_activation_key_from_email_link == OK) {

        if ($username = LookupUsernameFromUniqueActivationKey() == OK) {
           
            session_start();

            $_SESSION['ok_user'] = $username;

            ?>
            <head>
            <script>
             // Send them to the protected member page:
             location.replace("ProtectedMembersPage.php");
            </script>
            </head>
            <?php
        }
    }    
?>
Comment
Watch Question

CERTIFIED EXPERT
Commented:
You'll probably want to use $_POST['username'] and $_POST['password'] when checking the login credentials passed via the login.php form.

As for using session_start() on the two different pages, that should be fine.  When you call that function, if will first see if there is already a session open for that user (usually based on the session cookie, unless you're passing session IDs via the URL) and will use that existing session if there is.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
1. Where do you define CheckDatabaseifLoginOk()

2. Your code:
> if (!isset($_SESSION['ok_user'])) {
>    // Failed login, go back to Login.php.
>    exit;
That middle line can be:
header("Location: Login.php");
That will make the page redirect to the login page.

3. Where do you define the variable here: $posted_activation_key_from_email_link == OK
    Same with $username and $password in the first code example.

Joe P

Author

Commented:
Hi Bogo,

1. Its actuall a few lines I do right there - I just called it CheckDatabaseifLoginOk() to compress into pseudo code. I really just check the sql database to see if there is a user + password combination that matches what the user entered in the input form.

2. Yeah I have something that makes the page get redirected, but I like your way better, thanks.

3. $posted_activation_key_from_email_link  comes from the, hmm, page request address? Don't know what else to call it. I send the user an email like:

    Click this link to activate your account:

    http://localhost/mysite/ActivateUser.php?activate=1&key=abcdefg

So the user clicks the link and gets directed to that ActivateUser.php script. $posted_activation_key_from_email_link  is taken from the 'key' parameter in the address. I look in my user table to see if there is a key with that value. If there is, I 'activate' that user, and also grab it's $username + $password.

Then I just log them in automatically and send them to the members page, with the session already started.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.