pek schreef:
On Jun 26, 3:42 pm, "C. (http://symcbean.blogspot.com/)"
<colin.mckin...@gmail.comwrote:
>On Jun 25, 1:52 pm, pek <kimwl...@gmail.comwrote:
>>I have read a lot of tutorials on how to create a login mechanism (a
lot of which I found really useful). None of them however explain how
do you check if the user is or is not in fact logged in.
What is your implementation? What do you believe is a good practice
and what is not? Do you provide both sessions and cookies for temporal
and long-term logins..?
You're confusing authentication and session management. If you try to
make them the same thing, and you allow users to login without
expiring for a long period of time you will have to maintain the user
session for that time - which is not going to scale well nor allow for
change management.
By all means allow your website to 'remember me' - but implement this
seperately from the session handling.
Then do authentication for any users who does not have a valid
session, if the user is authenticated, create a session or flag the
session as valid.
C.
OK, maybe I didn't make myself clear.
My question is simply this:
What is your code to check wether a user is logged in or not.
Hi,
You cannot expect us to give you litteral code.
YOU are the one designing the authentication and the subsequent checking.
A simple example:
login.php
contains a form where a username and password is typed.
It posts to:
login_process.php
Here you check the passed username/password against a database or
something that holds this information.
if succesfull:
So you'll end up with something like:
[just a codesinppet]
session_start();
$username = $connection->qstr($_POST["username"]);
$password = $connection->qstr($_POST["password"]);
// The $connection->qstr is from ADODB db abstractionlayer.
// You might well use another to prevent SQL injection.
$SQL = "SELECT userid FROM tbluser WHERE ((username=$username) AND
(password=$password));"
$RS = $connection->getAll($SQL);
if (isset($RS[0])){
// OK
$_SESSION["userid"] = $rowDB["userid"];
header("Location: userpage.php");
exit;
} else {
echo "bad username and password. Try again.";
exit;
}
userpage.php
On this page you damnd a logged in user, so start this page with:
session_start();
if (!isset($_SESSION["userid"])){
echo "Sorry, your session expired, or you are screwing up somehow.";
exit;
}
Since you'll end up with the above checkroutine on every page, I advise
you to put the whole into a function, named eg: redirectIfNotLoggedIn().
Hope this helps a little.
So in short: You make some entry in $_SESSION on succesfull login, and
you check it everywhere where you demand a logged in user.
Regards,
Erwin Moller