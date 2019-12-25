What should that mean? No one here sits in front of your computer. You can output variables at any point with
var_dump(), right after the assignment and where you want to show something. There’s a null value or not what you expected? Just use the next upper key of the array or the complete array with
var_dump().
How do I match the logged in user to his/her member name from the DB and use echo to display it on the page they are visiting?
We’d need to see the code in context to have a chance of trying to help figure out what’s wrong. There is nothing wrong with any of the lines of code you posted, in isolation, so the key will be how they interact with the rest of the code.
Is that right at the start of your PHP code? Before you call
session_start()?
I got a blank screen. I did fix that, but it now simply displays nothing (it shows the page and other content, but echos nothing).
Okay thanks!
Okay here is the complete login function:
if (! empty($_POST["login"])) {
$isAuthenticated = false;
$username = $_POST["member_name"];
$password = $_POST["member_password"];
$user = $auth->getMemberByUsername($username);
if (password_verify($password, $user[0]["member_password"])) {
$isAuthenticated = true;
}
if ($isAuthenticated) {
$_SESSION["member_id"] = $user[0]["member_id"];
// Set Auth Cookies if 'Remember Me' checked
if (! empty($_POST["remember"])) {
setcookie("member_login", $username, $cookie_expiration_time);
$random_password = $util->getToken(16);
setcookie("random_password", $random_password, $cookie_expiration_time);
$random_selector = $util->getToken(32);
setcookie("random_selector", $random_selector, $cookie_expiration_time);
$random_password_hash = password_hash($random_password, PASSWORD_DEFAULT);
$random_selector_hash = password_hash($random_selector, PASSWORD_DEFAULT);
$expiry_date = date("Y-m-d H:i:s", $cookie_expiration_time);
// mark existing token as expired
$userToken = $auth->getTokenByUsername($username, 0);
if (! empty($userToken[0]["id"])) {
$auth->markAsExpired($userToken[0]["id"]);
}
// Insert new token
$auth->insertToken($username, $random_password_hash, $random_selector_hash, $expiry_date);
} else {
$util->clearAuthCookie();
}
$_SESSION['node'] = $row['member_name'];
$util->redirect("main.php");
} else if (empty($username)) {
$message = "<br><span style='width:92%;margin:0px auto;padding: 10px;border: 1px solid #a94442; color: #a94442; background: #f2dede; border-radius: 5px; text-align: left;'>Username can't be empty!</span>";
} else if (empty($password)) {
$message = "<br><span style='width:92%;margin:0px auto;padding: 10px;border: 1px solid #a94442; color: #a94442; background: #f2dede; border-radius: 5px; text-align: left;'>Password can't be empty!</span>";
} else {
$message = "<br><span style='width:92%;margin:0px auto;padding: 10px;border: 1px solid #a94442; color: #a94442; background: #f2dede; border-radius: 5px; text-align: left;'>Invalid Username/Password!</span>";
}
}
And the echo in main.php:
<span style="color:white;font-size:20px;">Welcome <span style="color:orange;">
<?php echo "{$_SESSION['node']}"; ?></span>!</span>
Thanks!
$_SESSION['node'] = $row['member_name'];
There is no other reference to
$row in your code - you don’t read it from anywhere, so it’s no surprise that this doesn’t do anything.
Does your code set the
member_id session variable correctly, and can you display that (even just for debugging purposes) in your
main.php code?
I didn’t notice this before. Perhaps that is the cause of some confusion -
member_name is the column that holds members names, not the row.
Post the getMemberByUsername method. As I mentioned before, something is funky with the zero array you are using.
Here it is:
function getMemberByUsername($username) {
$db_handle = new DBController();
$query = "Select * from members where member_name = ?";
$result = $db_handle->runQuery($query, 's', array($username));
return $result;
}
I agree after examining some code on another site. So I need something to read the DB and return the logged in member’s username to a var, then echo this?
No, that should already be coming back when you first call
getMemberByUsername(). It’ll be in your
$user array, like the password and id are. But not in an array called
$row, as that doesn’t exist anywhere.
The function is strange, though, in that it returns an array of users when, in reality, you should only be getting one user back. In turn, that makes the rest of the code more complex-looking because you have to use things like
$user[0]["member_password"] when you could be using
$user['member_password']. It would be relatively easy to modify, but it doesn’t affect the specific issue you have here.
Got it:
$_SESSION['node'] = $user[0]["member_name"];
and
<?php echo "{$_SESSION['node']}"; ?>
Thank you, and thanks to everyone else! You all were very polite and helpful. I’ll be sticking around for sure.
If you want to just output a variable you can skip the quotations makrs and curly brackets, thats very redundant.
Cool, thanks!
I did notice a small issue. The session code to produce the var is run just after login, and works. But if someone uses “Remember Me” when logging in, closes the browser, then comes back later, they are automatically logged in via cookie and sent to the main page. But since they did not technically login via the login routine, it now will NOT display the echoed var. Maybe because when re-loading the browser, it creates a new session?
I played around with it, and I couldn’t figure out how to fix it… suggestions please?
I believe that sessions are lost when the browser is closed. It’s remembering that the user is logged in because you do that with cookies, not sessions.
Yes, gotcha. Maybe I can add a small piece of code that pulls the logged in member’s name from the DB when they hit the main page?
You could. Or you could store that in a cookie, as well.
I’m not sure what’s considered “good practice” on that score, but I’m sure others will. My guess is as long as the cookies don’t get overwhelming, and you don’t store something daft like their unhashed password, it’s probably OK.
ETA - just make sure that you don’t presume that just because you’ve had something from a cookie that it’s necessarily valid. It’s not difficult, apparently, to edit cookies at the client end, so it’s important to validate things.
You shouldn’t store anything security relevant in a cookie because the client can easily change that. So storing a user-ID can also lead to identity theft when a bad client just changes the cookie value to some other ID and you just log that in.
But there’s a technique called “signed cookies” (ad hoc i didn’t find find any definitive resource for that) that utilizes encryption and hashing on any data stored in a cookie with a secret stored on the server, so you can rely on the fact that these data was validated server-side previously.
I wondered if that was something to do with the other values the OP is storing in cookies - random_password and random_selector, some kind of security mechanism.
Yes, there is an encryption method that uses hashed data in the DB and compares it to what’s stored in the cookie for validation.
