Not signed in (Sign In)

Welcome, Guest

Want to take part in these discussions? Sign in if you have an account, or apply for one below


Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

Welcome Guest! Want to take part in these discussions? If you have an account, sign in now.
If you don't have an account, apply for one now.
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 11th 2010 edited
     permalink
    asdf could you please tell me the correct way of using session_start() with a password.:face-smile:
  1. Other Topics You Might Like
    Special Session within EMS2009: Media Interactivity and Network Convergence (MINC2009) wl
    how can I end session when I close the browser
    Zero commission start of next year???
    Why doesn't Fry's start a workers Union?
    Starting a union for the Duluth and Alpharetta store!!!! Meeting update!!!
    •  
      CommentAuthorasdf
    • CommentTimeSep 12th 2010 edited
     permalink
    There is only two things you need to know about PHP sessions. One is using session_start() on every page and the other is $_SESSION['username'].  
     
    Just include this file login.php to all php files you want logged in people to see, except logout.php, index.php, and pages you want available to everyone online or offline.  
     
    login.php:
    <?php  
    session_start();  
    if(!empty($_SESSION['username'])) return; // already logged in  
    if($_POST['username'] == 'asdf' && md5($_POST['password']) == '6f1ed002ab5595859014ebf0951522d9') {  
    $_SESSION['username'] = $_POST['username'];  
    } else {  
    include('loginform.php'); // bad username and password, try again  
    exit;  
    }  
    // reload page or send them to index  
    $page = basename($_SERVER['PHP_SELF']);  
    if($page == 'login.php') $page = 'index.php';  
    header('Location: '. $page);  
    ?>
    login.php is just a form that verifies username and password. I recommend you store this in the database with passwords stored as one-way hash. 6f1ed002ab5595859014ebf0951522d9 = blah  
     
    loginform.php:
    <form method="post" action="<?=basename($_SERVER['PHP_SELF'])?>">  
    Username <input type="text" name="username"> <br />  
    Password <input type="password" name="password"> <br />  
    <input type="submit" value="Login">  
    </form>
    logout.php:
    <?php  
    session_start();  
    $_SESSION['username'] = '';  
    header('Location: index.php'); // redirect user to index.php  
    ?>
    Do not put too much information in session variables. All you need is a username. If $_SESSION['username'] is empty, user is offline, else user is online. Only two things matter for sessions: online or offline. You deal with all user information in the mysql database.  
     
    You may want index.php for both logged in and not logged in users. Here's a sample.  
     
    index.php:
    <?php  
    session_start();  
    if(!empty($_SESSION['username'])) {  
    echo 'Hello, ' . $_SESSION['username'] . '! <a href="logout.php">sign out</a>';  
    } else {  
    echo 'Hello, Guest! sign up or <a href="login.php">login</a>';  
    }  
    // continue to show the rest of the site  
    ?>
    Here's a sample for logged in users only.  
     
    hello.php:
    <?php  
    include('login.php');  
    ?>  
    hello <?=$_SESSION['username']?>
    •  
      CommentAuthorObiWan
    • CommentTimeSep 13th 2010
     permalink
    asdf - xyvermax needs to pay you nicely for all of the answers and information that you give him
    •  
      CommentAuthorasdf
    • CommentTimeSep 13th 2010
     permalink
    There is no payment I would be satisfied with.
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 13th 2010
     permalink
    Thanks asdf this would be a big help for me. Hey obiwan that is the meaning of open source just like what you see on the internet. Google is giving you right information if you find something for free.:face-smile:
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 13th 2010
     permalink
    asdf do i need to use query from the database to check if the user and password exist. I don't see any query on your code. In my understanding i need to use sql statement to query the user and password from the input boxes.
    •  
      CommentAuthorasdf
    • CommentTimeSep 13th 2010 edited
     permalink
    You can query the database for username and password if you like right now my username and password is in the code. if you use the code as is you can login as asdf with the password as blah.  
     
    If you do query the database you can use the MySQL statement:
    $sql = "select * from users where username='$username' and password=md5('$password') ";  
    $result = $con->query($sql);  
    $success = $result->num_rows > 0;
    You can store usernames and passwords like this:
    $sql = "insert into users (username, password) values ('$username', md5('$password')) ";  
    $con->query($sql);
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 13th 2010
     permalink
    $success = $result->num_rows > 0;  
    that one it means there's existing user right? so by that I could check if it exist or not. Am I correct.
    •  
      CommentAuthorasdf
    • CommentTimeSep 13th 2010
     permalink
    yes. Its because it will return true or false if the number of rows is more than 0
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 13th 2010
     permalink
    hey asdf I use sha1() to save password and it works well but when I tried to retrieve it on my page it shows the same sha password instead of showing the right password
    •  
      CommentAuthorasdf
    • CommentTimeSep 13th 2010 edited
     permalink
    sha1 is even better method. sha1 and md5 is a one-way hash, you can't go backwards like converting sha1 or md5 back to password.  
     
    asdf enters their password 'blah', but 'blah' is not in the database, but the md5 of 'blah' is.  
    md5('blah') == '6f1ed002ab5595859014ebf0951522d9'  
     
    if someone where to hack your database it would never reveal the real password. If a user wanted to retrieve their password you will not be able to give them their password, you can email them a site to reset their password.
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 13th 2010
     permalink
    so you mean I can't just display back the right password on my page
    •  
      CommentAuthorasdf
    • CommentTimeSep 13th 2010
     permalink
    Unless you save their password in the database but its not recommended to store real passwords as people share passwords between sites and accounts. If a hacker gets into your database he can take your password and email address and try logging into other accounts with it.
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 13th 2010
     permalink
    so how can they change or reset their password
    •  
      CommentAuthorasdf
    • CommentTimeSep 13th 2010 edited
     permalink
    If a user forgot their password you can send them a link to change their password.  
     
    Have a link that says Request New Password, send an email to the email address stored on their account.  
     
    The link will contain a hash of some sort:  
    http://blah.com/reset-password.php?username=asdf&key=5ebe2294ecd0e0f08eab7690d2a6ee69  
     
    key can be md5($username . $stored_md5_password)  
    key can be $stored_md5_password  
     
    The reason for the hash in the url is so others can not reset your password and get into your account.
    •  
      CommentAuthorObiWan
    • CommentTimeSep 13th 2010
     permalink
    xyvermax: Hey obiwan that is the meaning of open source just like what you see on the internet. Google is giving you right information if you find something for free.:face-smile:
     
     
    FWIW, Google isn't "free". Goggle is a for-profit company that makes money through its advertising. Also, asdf has obviously spent a lot of time, and money, learning how to program. Are you saying that he shouldn't be rewarded (i.e. paid) for his skills/knowledge?
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 13th 2010
     permalink
    So what do you think over here? don't you see those google ads around this website? open your eyes man! I am a customer too of this site that has the potential to hit the advertisement. I know that guy if I'm not mistaken. I make website too that has ads on it so I want more people to come on my site so I'll get money. I'll do everything on my site just to get traffic.
    •  
      CommentAuthorxyvermax
    • CommentTimeSep 13th 2010
     permalink
    Thanks asdf now I'm using sha1() and also I could now retrieve the data base on the user input password using the sha1() function again. :face-smile:
    •  
      CommentAuthorasdf
    • CommentTimeSep 14th 2010
     permalink
    Oh nice. Good stuff. Just show me what you've made when you have it.
    •  
      CommentAuthorasdf
    • CommentTimeSep 14th 2010
     permalink
    Password Reuse http://xkcd.com/792/