Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

PHP Sessions Question

Familiar Sight
  
Join Date: Mar 2007
Posts: 146
#1: Jan 23 '08
I'm using sessions now but I've just realized a potential problem. It's a small job board and the employers have to register and login to post ads, and the job seekers have to register, login and post a resume in order to respond to certain ads.

The employers and the job seekers register their information into their own database table.

I don't fully understand how sessions work. This that I'm using came from a book by Larry Ullman (chapter 13). I have this on my login page:
[PHP]session_start();

if (isset($_SESSION['first_name'])) {
echo "Welcome {$_SESSION['first_name']}!";
}

if (isset($_POST['submitted'])) { // Check if the form has been submitted.

require_once ('./includes/mysql_connect.php'); // Connect to the database.

// Validate the email address.
if (!empty($_POST['email'])) {
$e = escape_data($_POST['email']);
} else {
echo '<p><font color="red" size="+1">You forgot to enter your email address!</font></p>';
$e = FALSE;
}

// Validate the password.
if (!empty($_POST['pass'])) {
$p = escape_data($_POST['pass']);
} else {
$p = FALSE;
echo '<p><font color="red" size="+1">You forgot to enter your password!</font></p>';
}

if ($e && $p) { // If everything's OK.

// Query the database.
$query = "SELECT * FROM users WHERE (email='$e' AND pass=SHA('$p')) AND active IS NULL";
$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());

$_SESSION['first_name'] = $row[3];
$_SESSION['user_id'] = $row[0];
$_SESSION['last_name'] = $row[4];
$_SESSION['company_name'] = $row[5];
$_SESSION['email'] = $row[1];
$_SESSION['city_name'] = $row[7];
$_SESSION['stateid'] = $row[8];[/PHP]
The first question I have is, in order for me use this:
[PHP]if (isset($_SESSION['first_name']) && isset($_SESSION['last_name']))
{
echo " {$_SESSION['first_name']} {$_SESSION['last_name']}";
}[/PHP]I'll have to set it upon login like this:[PHP]$_SESSION['last_name'] = $row[4];[/PHP]correct?

Here is where I could have a problem; on top of every page is [PHP]session_start();[/PHP]I don't want a job seeker with the same name as an employer to be able to access the employer area.

How can I ensure this doesn't happen?

Should I change the !isset from this:
[PHP]if (!isset($_SESSION['first_name'])) {

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);

// Check for a trailing slash.
if ((substr($url, -1) =='/') OR (substr($url, -1) == '\\') ) {

// Chop off the slash.
$url = substr ($url, 0, -1);
}

// Redirect to this page if not logged in.
$url .= './../register/login.php';
header("Location: $url");

// Quit the script.
exit();[/PHP]to this:[PHP]if (!isset($_SESSION['first_name']) && (!isset($_SESSION['email'])) {[/PHP]because the email is unique.

The session script I'm using doesn't say to give the cookie a unique name. In fact, the only place it even mentions cookies is on the logout page:[PHP]$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.[/PHP]
Looks like the cookie name is - session_name. But I use this for both the job seeker area and employer area.

The time is set to -300 or 5 minutes. He doesn't elaberate on what the -300 means, but best I can tell it has something to do with destroying the session after the person logs out. However, I've noticed that if I login and am inactive for 5 minutes I have to log back in. Now this may be a problem say, if it takes me longer than 5 minutes to make a job ad. Will I have a problem when I go to submit the ad only to find I've beed logged out and my all that I entered is gone.

Thanks
DavidPr

dlite922's Avatar
Expert
  
Join Date: Dec 2007
Location: Moon, Dark Side
Posts: 1,095
#2: Jan 28 '08

re: PHP Sessions Question

Quote:

Originally Posted by DavidPr

I'm using sessions now but I've just realized a potential problem. It's a small job board and the employers have to register and login to post ads, and the job seekers have to register, login and post a resume in order to respond to certain ads.

The employers and the job seekers register their information into their own database table.

I don't fully understand how sessions work. This that I'm using came from a book by Larry Ullman (chapter 13). I have this on my login page:
[PHP]session_start();

if (isset($_SESSION['first_name'])) {
echo "Welcome {$_SESSION['first_name']}!";
}

if (isset($_POST['submitted'])) { // Check if the form has been submitted.

require_once ('./includes/mysql_connect.php'); // Connect to the database.

// Validate the email address.
if (!empty($_POST['email'])) {
$e = escape_data($_POST['email']);
} else {
echo '<p><font color="red" size="+1">You forgot to enter your email address!</font></p>';
$e = FALSE;
}

// Validate the password.
if (!empty($_POST['pass'])) {
$p = escape_data($_POST['pass']);
} else {
$p = FALSE;
echo '<p><font color="red" size="+1">You forgot to enter your password!</font></p>';
}

if ($e && $p) { // If everything's OK.

// Query the database.
$query = "SELECT * FROM users WHERE (email='$e' AND pass=SHA('$p')) AND active IS NULL";
$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());

$_SESSION['first_name'] = $row[3];
$_SESSION['user_id'] = $row[0];
$_SESSION['last_name'] = $row[4];
$_SESSION['company_name'] = $row[5];
$_SESSION['email'] = $row[1];
$_SESSION['city_name'] = $row[7];
$_SESSION['stateid'] = $row[8];[/PHP]
The first question I have is, in order for me use this:
[PHP]if (isset($_SESSION['first_name']) && isset($_SESSION['last_name']))
{
echo " {$_SESSION['first_name']} {$_SESSION['last_name']}";
}[/PHP]I'll have to set it upon login like this:[PHP]$_SESSION['last_name'] = $row[4];[/PHP]correct?

Here is where I could have a problem; on top of every page is [PHP]session_start();[/PHP]I don't want a job seeker with the same name as an employer to be able to access the employer area.

How can I ensure this doesn't happen?

Should I change the !isset from this:
[PHP]if (!isset($_SESSION['first_name'])) {

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);

// Check for a trailing slash.
if ((substr($url, -1) =='/') OR (substr($url, -1) == '\\') ) {

// Chop off the slash.
$url = substr ($url, 0, -1);
}

// Redirect to this page if not logged in.
$url .= './../register/login.php';
header("Location: $url");

// Quit the script.
exit();[/PHP]to this:[PHP]if (!isset($_SESSION['first_name']) && (!isset($_SESSION['email'])) {[/PHP]because the email is unique.

The session script I'm using doesn't say to give the cookie a unique name. In fact, the only place it even mentions cookies is on the logout page:[PHP]$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.[/PHP]
Looks like the cookie name is - session_name. But I use this for both the job seeker area and employer area.

The time is set to -300 or 5 minutes. He doesn't elaberate on what the -300 means, but best I can tell it has something to do with destroying the session after the person logs out. However, I've noticed that if I login and am inactive for 5 minutes I have to log back in. Now this may be a problem say, if it takes me longer than 5 minutes to make a job ad. Will I have a problem when I go to submit the ad only to find I've beed logged out and my all that I entered is gone.

Thanks
DavidPr

Depending on the commonalities between employer and job-seeker (if your collecting almost identical information, i would put them in one USER table. the table will have a column that says TYPE, as simple as making 0 an employer and 1 a job-seeker. based on this you can go to appropriate section.

each user will have a unique table id, BUT as good practice don't use that, user their login, as it can't be the same, this is why most sites use email address as login because its unique, two people can't have the same email address.

As for session, you need to grab the user ID and make sure it validates instead of their first_name.

Where's $row defined?

As a good programing practice, do not echo anything before your logic is done.

DO NOT RECOMMEND USING BOOK EXAMPLE FOR PRODUCTION sites.

they are used to show you how the language works.

time()-300, sets the cookies expire time 300 miliseconds in the past (immediatly destroys it)

I can't vouch for why the book doesn't mention setting the cookie until log out time. Look harder it must be in there somewhere, if not, its a bad book!

Try to play with the code instead of reading it to us if you want to know what a variable contains at any point in time, insert an echo, die() or var_dump() statement with it to help you understand the code.
Familiar Sight
  
Join Date: Mar 2007
Posts: 146
#3: Feb 2 '08

re: PHP Sessions Question

I'm putting this issue on the back burner for now. I've read enough about sessions to learn that you have to decide between security or functionality. Apparently you can't have both.

Cookies are more secure, but only holds a minuscule of information. Plus many people it seems, set their browsers to block cookies.

Sessions hold more information but are less secure, as they are prone to hijacking or fixation. One fix I read to combat hijacking is to test against browser and OS type. This is highly effective since only about two people use IE6 and WinXP and the chances of them both finding your website at the same time are slim.

In my case, I just wanted to keep people from being logged off every five minutes. But 5 minutes is the automatic time out period set in the php.ini file, which as it turns out, I am the only person on the Web who does not have access to it because my websites are the only ones hosted on a shared server.

Anyway, consider this issue closed.
eragon's Avatar
Needs Regular Fix
  
Join Date: Mar 2007
Location: US
Posts: 428
#4: Feb 3 '08

re: PHP Sessions Question

a simple solution would be to specify two session varaibles...

or three: First name, last name, type

where type is job seeker or employer.

I dont suggest using names as identifiers, you can create a unique user id for each person.

but if you want to use names theres one more alternative:

put them in one session varaible, for example:

$_SESSION['info'] = "John-Doe-Employer";

and you can use

list($fname, $lname, $type) = explode("-", $_SESSION['info']);

and those three strings contain your user info.

i didnt catch the second question so ill post again with a solution.

I know you closed the topic, i felt like helping.

Thanks for listening
eragon's Avatar
Needs Regular Fix
  
Join Date: Mar 2007
Location: US
Posts: 428
#5: Feb 3 '08

re: PHP Sessions Question

To avoid being logged out after five minutes, locate the line in your script that sets a cookie with a positive value

EG: set_cookie("session_info" ... 300);

and change the 300 to time()+3600

this will keep you logged in for one hour. hopefully.
Familiar Sight
  
Join Date: Mar 2007
Posts: 146
#6: Feb 3 '08

re: PHP Sessions Question

OK, the registration and login system I'm using came from a book written by Larry Ullman Chapter 13 (PHP and MSQL 2nd Edition).

He only uses session_start(). No names, timeouts or urls.

I have session_start() on top of every page.

I use this on the login page:
[PHP]// Query the database.
$query = "SELECT * FROM users WHERE (email='$e' AND pass=SHA('$p')) AND active IS NULL";
$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());

if (@mysql_num_rows($result) == 1) { // A match was made.

// Register the values & redirect.
$row = mysql_fetch_array ($result, MYSQL_NUM);
mysql_free_result($result);
mysql_close(); // Close the database connection.
$_SESSION['first_name'] = $row[3];
$_SESSION['user_id'] = $row[0];
$_SESSION['last_name'] = $row[4];
$_SESSION['company_name'] = $row[5];
$_SESSION['city_name'] = $row[7];
$_SESSION['stateid'] = $row[8];
$_SESSION['email'] = $row[2];

// Start defining the URL.
$url = './../register/main.php';

ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.
[/PHP]

I use this on every page in the employer area to identify and greet user after logging in:
[PHP]<?php
// If no user_id variable exists, redirect the user.
if (!isset($_SESSION['user_id'])) {

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);

// Check for a trailing slash.
if ((substr($url, -1) =='/') OR (substr($url, -1) == '\\') ) {

// Chop off the slash.
$url = substr ($url, 0, -1);
}

// Redirect to this page if not logged in.
$url .= './../register/login.php';
header("Location: $url");

// Quit the script.
exit();

}
else
{

// Welcome the user (by name if they are logged in).
echo '<p><strong>Logged in as:</strong>&nbsp; ';

if (isset($_SESSION['first_name']) && isset($_SESSION['last_name']))
{
echo " {$_SESSION['first_name']} {$_SESSION['last_name']}";
}
}

echo '<br>';

if (isset($_SESSION['company_name']))
{
echo "<strong>Company Name:</strong>&nbsp; {$_SESSION['company_name']}<br>";
}

if (isset($_SESSION['stateid']) && ($_SESSION['city_name']))
{
echo "<strong>Location:</strong>&nbsp; {$_SESSION['city_name']}, {$_SESSION['stateid']}</p>";
}
?>[/PHP]

And this to logout:
[PHP]// Logout the user.
$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie.
}[/PHP]

That's it. And it's pretty much the same for the Job Seeker side except for setting the session values on the login page.

You should see the problems I have when using an online sitemap program. It spits out all the sessionid numbers.
Reply

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,471 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved