General login scheme check


I'd like to know if this methodology of users logging in and out is correct in the sense of session use. I'm following a book that's two years old and am trying to incorporate the method of logging in by the user clicking on an activation link from an activation email I send them. Is this layout ok? What could go wrong with it? It is in pseudocode, please let me know what you think. What are the implications of calling session_start() from the two different script files?


    // ProtectedMemberPage.php

    // If $username and $password are posted from Login.php..
    if ($username && $password) {
        if (CheckDatabaseIfLoginOk($username, $password)) {
            $_SESSION['ok_user'] = $username;
        else {

    if (!isset($_SESSION['ok_user'])) {
        // Failed login, go back to Login.php.

    echo "You are viewing the protected page as user: " . $_SESSION['ok_user'];
    echo "No other user should ever be able to see this page.";


    // ActivateUser.php
    // This script is meant to be called from an email I send a registered user. It 'activates' their account. The
    // link sends them directly to this page, checks the post data, activates their account if valid, then I want to
    // immediately log them in and send them to ProtectedMembersPage.php.
    if ($posted_activation_key_from_email_link == OK) {

        if ($username = LookupUsernameFromUniqueActivationKey() == OK) {

            $_SESSION['ok_user'] = $username;

             // Send them to the protected member page:
Who is Participating?
You'll probably want to use $_POST['username'] and $_POST['password'] when checking the login credentials passed via the login.php form.

As for using session_start() on the two different pages, that should be fine.  When you call that function, if will first see if there is already a session open for that user (usually based on the session cookie, unless you're passing session IDs via the URL) and will use that existing session if there is.
1. Where do you define CheckDatabaseifLoginOk()

2. Your code:
> if (!isset($_SESSION['ok_user'])) {
>    // Failed login, go back to Login.php.
>    exit;
That middle line can be:
header("Location: Login.php");
That will make the page redirect to the login page.

3. Where do you define the variable here: $posted_activation_key_from_email_link == OK
    Same with $username and $password in the first code example.

Joe P
minnirokAuthor Commented:
Hi Bogo,

1. Its actuall a few lines I do right there - I just called it CheckDatabaseifLoginOk() to compress into pseudo code. I really just check the sql database to see if there is a user + password combination that matches what the user entered in the input form.

2. Yeah I have something that makes the page get redirected, but I like your way better, thanks.

3. $posted_activation_key_from_email_link  comes from the, hmm, page request address? Don't know what else to call it. I send the user an email like:

    Click this link to activate your account:


So the user clicks the link and gets directed to that ActivateUser.php script. $posted_activation_key_from_email_link  is taken from the 'key' parameter in the address. I look in my user table to see if there is a key with that value. If there is, I 'activate' that user, and also grab it's $username + $password.

Then I just log them in automatically and send them to the members page, with the session already started.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.