General login scheme check

Posted on 2006-03-27
Medium Priority
Last Modified: 2010-08-05

I'd like to know if this methodology of users logging in and out is correct in the sense of session use. I'm following a book that's two years old and am trying to incorporate the method of logging in by the user clicking on an activation link from an activation email I send them. Is this layout ok? What could go wrong with it? It is in pseudocode, please let me know what you think. What are the implications of calling session_start() from the two different script files?


    // ProtectedMemberPage.php

    // If $username and $password are posted from Login.php..
    if ($username && $password) {
        if (CheckDatabaseIfLoginOk($username, $password)) {
            $_SESSION['ok_user'] = $username;
        else {

    if (!isset($_SESSION['ok_user'])) {
        // Failed login, go back to Login.php.

    echo "You are viewing the protected page as user: " . $_SESSION['ok_user'];
    echo "No other user should ever be able to see this page.";


    // ActivateUser.php
    // This script is meant to be called from an email I send a registered user. It 'activates' their account. The
    // link sends them directly to this page, checks the post data, activates their account if valid, then I want to
    // immediately log them in and send them to ProtectedMembersPage.php.
    if ($posted_activation_key_from_email_link == OK) {

        if ($username = LookupUsernameFromUniqueActivationKey() == OK) {

            $_SESSION['ok_user'] = $username;

             // Send them to the protected member page:
Question by:minnirok
LVL 15

Accepted Solution

Tomeeboy earned 2000 total points
ID: 16305590
You'll probably want to use $_POST['username'] and $_POST['password'] when checking the login credentials passed via the login.php form.

As for using session_start() on the two different pages, that should be fine.  When you call that function, if will first see if there is already a session open for that user (usually based on the session cookie, unless you're passing session IDs via the URL) and will use that existing session if there is.
LVL 17

Expert Comment

ID: 16305844
1. Where do you define CheckDatabaseifLoginOk()

2. Your code:
> if (!isset($_SESSION['ok_user'])) {
>    // Failed login, go back to Login.php.
>    exit;
That middle line can be:
header("Location: Login.php");
That will make the page redirect to the login page.

3. Where do you define the variable here: $posted_activation_key_from_email_link == OK
    Same with $username and $password in the first code example.

Joe P

Author Comment

ID: 16306502
Hi Bogo,

1. Its actuall a few lines I do right there - I just called it CheckDatabaseifLoginOk() to compress into pseudo code. I really just check the sql database to see if there is a user + password combination that matches what the user entered in the input form.

2. Yeah I have something that makes the page get redirected, but I like your way better, thanks.

3. $posted_activation_key_from_email_link  comes from the, hmm, page request address? Don't know what else to call it. I send the user an email like:

    Click this link to activate your account:


So the user clicks the link and gets directed to that ActivateUser.php script. $posted_activation_key_from_email_link  is taken from the 'key' parameter in the address. I look in my user table to see if there is a key with that value. If there is, I 'activate' that user, and also grab it's $username + $password.

Then I just log them in automatically and send them to the members page, with the session already started.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month14 days, 23 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question