General login scheme check

Posted on 2006-03-27
Last Modified: 2010-08-05

I'd like to know if this methodology of users logging in and out is correct in the sense of session use. I'm following a book that's two years old and am trying to incorporate the method of logging in by the user clicking on an activation link from an activation email I send them. Is this layout ok? What could go wrong with it? It is in pseudocode, please let me know what you think. What are the implications of calling session_start() from the two different script files?


    // ProtectedMemberPage.php

    // If $username and $password are posted from Login.php..
    if ($username && $password) {
        if (CheckDatabaseIfLoginOk($username, $password)) {
            $_SESSION['ok_user'] = $username;
        else {

    if (!isset($_SESSION['ok_user'])) {
        // Failed login, go back to Login.php.

    echo "You are viewing the protected page as user: " . $_SESSION['ok_user'];
    echo "No other user should ever be able to see this page.";


    // ActivateUser.php
    // This script is meant to be called from an email I send a registered user. It 'activates' their account. The
    // link sends them directly to this page, checks the post data, activates their account if valid, then I want to
    // immediately log them in and send them to ProtectedMembersPage.php.
    if ($posted_activation_key_from_email_link == OK) {

        if ($username = LookupUsernameFromUniqueActivationKey() == OK) {

            $_SESSION['ok_user'] = $username;

             // Send them to the protected member page:
Question by:minnirok
    LVL 15

    Accepted Solution

    You'll probably want to use $_POST['username'] and $_POST['password'] when checking the login credentials passed via the login.php form.

    As for using session_start() on the two different pages, that should be fine.  When you call that function, if will first see if there is already a session open for that user (usually based on the session cookie, unless you're passing session IDs via the URL) and will use that existing session if there is.
    LVL 17

    Expert Comment

    1. Where do you define CheckDatabaseifLoginOk()

    2. Your code:
    > if (!isset($_SESSION['ok_user'])) {
    >    // Failed login, go back to Login.php.
    >    exit;
    That middle line can be:
    header("Location: Login.php");
    That will make the page redirect to the login page.

    3. Where do you define the variable here: $posted_activation_key_from_email_link == OK
        Same with $username and $password in the first code example.

    Joe P
    LVL 7

    Author Comment

    Hi Bogo,

    1. Its actuall a few lines I do right there - I just called it CheckDatabaseifLoginOk() to compress into pseudo code. I really just check the sql database to see if there is a user + password combination that matches what the user entered in the input form.

    2. Yeah I have something that makes the page get redirected, but I like your way better, thanks.

    3. $posted_activation_key_from_email_link  comes from the, hmm, page request address? Don't know what else to call it. I send the user an email like:

        Click this link to activate your account:


    So the user clicks the link and gets directed to that ActivateUser.php script. $posted_activation_key_from_email_link  is taken from the 'key' parameter in the address. I look in my user table to see if there is a key with that value. If there is, I 'activate' that user, and also grab it's $username + $password.

    Then I just log them in automatically and send them to the members page, with the session already started.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Consider the following scenario: You are working on a website and make something great - something that lets the server work with information submitted by your users. This could be anything, from a simple guestbook to a e-Money solution. But what…
    I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
    Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now