Using SESSION in PHP

On Jan 6, 11:36 pm, jc...@lycos.com wrote:

Hello,

I have a form that uses a basic passphrase to ensure an employee user
is who they say they are. One field uses 'text' as the input type and
the other uses 'password'. When a query has been run, a user can
click the browser back button and the name is still there intact but
the password field is blank. My question is, what would the 'SESSION'
code look like that would allow a user to click their back button
where the 'userpass' field holds the original passphrase in the same
manner the browser holds the user name within the text field?

thanks very much,
John

<td>User Name:</td><td align="left"><input type="text" name="username"
size="29" maxlength="30" value=""></td></tr>

<td>User Password:</td><td align="left"><input type="password"
name="userpass" size="29" maxlength="30" value=""></td></tr>

iirc you would need to either save the plaintext password as either a
cookie or in the session that is newly created and do a callback
check.

It would be very bad to store it in either case as plaintext IMO.

jc***@lycos.com wrote:

Hello,

I have a form that uses a basic passphrase to ensure an employee user
is who they say they are. One field uses 'text' as the input type and
the other uses 'password'. When a query has been run, a user can
click the browser back button and the name is still there intact but
the password field is blank. My question is, what would the 'SESSION'
code look like that would allow a user to click their back button
where the 'userpass' field holds the original passphrase in the same
manner the browser holds the user name within the text field?

Using Session will require that the user is logged in before the password will
be there.

--- page that gets the username/password ---
session_start();
$_SESSION['password']=$_POST['userpass']; // we assume you use default post
--- eoe ---

--- the login form ---
<td>User Password:</td><td align="left"><input type="password"
name="userpass" size="29" maxlength="30" value="<?php echo
$_SESSION['password']; ?>"></td></tr>
--- eoe ---

If you want the password to be stored between sessions, then you have to use
cookies, which means you store the password in plain text on the client computer.

I suggest you talk with the system administration and ask if it would be
possible to upgrade the browsers to a more modern one, visit mozilla.org if
you want a browser that can store both the username and password and on top of
all encrypts the password it stores.

--

//Aho

On Jan 6, 9:43 pm, "J.O. Aho" <u...@example.netwrote:

jc...@lycos.com wrote:

Hello,

I have a form that uses a basic passphrase to ensure an employee user
is who they say they are. One field uses 'text' as the input type and
the other uses 'password'. When a query has been run, a user can
click the browser back button and the name is still there intact but
the password field is blank. My question is, what would the 'SESSION'
code look like that would allow a user to click their back button
where the 'userpass' field holds the original passphrase in the same
manner the browser holds the user name within the text field?

Using Session will require that the user is logged in before the password will
be there.

--- page that gets the username/password ---
session_start();
$_SESSION['password']=$_POST['userpass']; // we assume you use default post
--- eoe ---

--- the login form ---
<td>User Password:</td><td align="left"><input type="password"
name="userpass" size="29" maxlength="30" value="<?php echo
$_SESSION['password']; ?>"></td></tr>
--- eoe ---

If you want the password to be stored between sessions, then you have to use
cookies, which means you store the password in plain text on the client computer.

I suggest you talk with the system administration and ask if it would be
possible to upgrade the browsers to a more modern one, visit mozilla.org if
you want a browser that can store both the username and password and on top of
all encrypts the password it stores.

--

//Aho

Hmmm... Guess I'm back to looking at using cookies. :-) As I
searched for a solution, I happened across http://www.phpfreaks.com/tutorials/120/0.php
and tweaked some code to get it to return 'something' in the password
field, just not what I was looking for. thanks for the replies, all...

jc***@lycos.com wrote:

On Jan 6, 9:43 pm, "J.O. Aho" <u...@example.netwrote:

>jc...@lycos.com wrote:

>>Hello,
I have a form that uses a basic passphrase to ensure an employee user
is who they say they are. One field uses 'text' as the input type and
the other uses 'password'. When a query has been run, a user can
click the browser back button and the name is still there intact but
the password field is blank. My question is, what would the 'SESSION'
code look like that would allow a user to click their back button
where the 'userpass' field holds the original passphrase in the same
manner the browser holds the user name within the text field?

Using Session will require that the user is logged in before the password will
be there.

--- page that gets the username/password ---
session_start();
$_SESSION['password']=$_POST['userpass']; // we assume you use default post
--- eoe ---

--- the login form ---
<td>User Password:</td><td align="left"><input type="password"
name="userpass" size="29" maxlength="30" value="<?php echo
$_SESSION['password']; ?>"></td></tr>
--- eoe ---

If you want the password to be stored between sessions, then you have to use
cookies, which means you store the password in plain text on the client computer.

I suggest you talk with the system administration and ask if it would be
possible to upgrade the browsers to a more modern one, visit mozilla.org if
you want a browser that can store both the username and password and on top of
all encrypts the password it stores.

--

//Aho

Hmmm... Guess I'm back to looking at using cookies. :-) As I
searched for a solution, I happened across http://www.phpfreaks.com/tutorials/120/0.php
and tweaked some code to get it to return 'something' in the password
field, just not what I was looking for. thanks for the replies, all...

That's a little old (over 4 years) and a bit out of date. You don't
need setcookie(); just use $_COOKIE.

You also don't need to store the password in plain text on the user's
machine. You could easily hash the password.

Some ideas - untested, but alter as required to suit your needs:

$userid = ''; // Initialize the values
$password = '';
$hashedpw = '';
if (isset($_COOKIE['userid'])) { // If userid is in cookie
$userid = $_COOKIE['userid']);
if (isset($_COOKIE['password'])) // Check for hashed password
$hashedpw = $_COOKIE['password'));
}

... other stuff, as necessary ...

if ($userid <'') {
$result = mysql_query("SELECT pw, MD5(pw) AS hashedpw FROM users " .
"WHERE userid = $userid");
if ($result) {
$data = mysql_fetch_assoc($result);
if ($data) {
if (($data['hashedpw'<>'') && ($data['hashedpw']==$hashedpw))
$password = $data['password'];
}

... other stuff, as necessary ...
<input type=text name="userid" value="<?php echo $userid;?>">
<input type=password name="password" value="<php echo $password;?>">
But this won't necessarily help you when the user uses the back button.
With the back button, your browser is probably pulling the information
from the cache. If the password was filled in by the above code (i.e.
the cookie existed and was valid) the first time the user displayed the
page, the password should be filled in the second time. But if the user
typed in the password, the password may not be filled in. This
operation is browser dependent and there isn't anything you can do about
it from the PHP end.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On 7 Jan, 04:36, jc...@lycos.com wrote:

Hello,

I have a form that uses a basic passphrase to ensure an employee user
is who they say they are. One field uses 'text' as the input type and
the other uses 'password'. When a query has been run, a user can
click the browser back button and the name is still there intact but
the password field is blank. My question is, what would the 'SESSION'
code look like that would allow a user to click their back button
where the 'userpass' field holds the original passphrase in the same
manner the browser holds the user name within the text field?

thanks very much,
John

<td>User Name:</td><td align="left"><input type="text" name="username"
size="29" maxlength="30" value=""></td></tr>

<td>User Password:</td><td align="left"><input type="password"
name="userpass" size="29" maxlength="30" value=""></td></tr>

All bets are off when it comes to the browsers 'back' button. Even if
you've got all the caching correct, both MSIE and Firefox (and
possibly many other browsers too) maintain a two+ tier cache - if the
delay is short enough, the browser will use a cached copy of the page
REGARDLESS of the caching information sent with the page when the back
button is pressed.

You should seperate the authentication and action - either use one of
the standard HTTP authentication schemes (but not BASIC unless its
over SSL) or have a sperate login page to create a session.

C.