Managing Users with PHP Sessions and MySQL

This is an article discussion thread for discussing the SitePoint article, “Managing Users with PHP Sessions and MySQL


Great tutorial!

This is a gem and I refer others to to it as often as I can. thanks Kevin.


This is by far the best tutorial on this subject on the entire web!

Thank you


Great tutorial! Using Postgres as db but the fundementals learned are very, very helpful!

Excellent Tutorial, Exactly what I was looking for and was very easy to understand and figure out how to tweak to what I wanted to do…

This is the best and clearest description of sessions and for that matter a useful version of a login script that I have found, normally tutorials are very vauge and are not presented in an actual usable situation.

Good work

Awesome material, very clear and very efficient. It helped me understand more about the sessions, and how to create the backbone for my access control :smiley: thank you very much!

First I want to thank you for this tutorial. Just what I was looking for!
Everything is working fine, but I’m trying to figure out how to make a logout button? I’ve done the following:

I’ve created a logout.php which the logout button is refering to:

$_SESSION = array(); 
$login_page = "index.php";
header("Location: $login_page"); 

But when I open logout.php the following error appears:

Warning: session_destroy(): Trying to destroy uninitialized session in /home/jesse/www/sub/supplytool/logout.php on line 3

Warning: Cannot modify header information - headers already sent by (output started at /home/jesse/www/sub/supplytool/logout.php:3) in /home/jesse/www/sub/supplytool/logout.php on line 5

Could someone please help me out? Thanks in advance…

Kevin Great Works!
It is very simple, clear, informative and comprehensive.
I can understand easily and try it on my production website

However, Can you add some security measures to avoid “session hijacking” …please do write me email or post it on your website …

Cheers …

You should do this:
//start the session

//check to make sure the session variable is registered

//session variable is registered, the user is ready to logout
$login_page = “”;
header(“Location: $login_page”);

//the session variable isn’t registered, the user shouldn’t even be on this page
header( “Location:” );

Warning: Cannot modify header information - headers already sent by (output started at /home/jesse/www/sub/supplytool/logout.php:3) in /home/jesse/www/sub/supplytool/logout.php on line 5

Could someone please help me out? Thanks in advance…

Add this in the first line of your code

I could not get this to work properly until I changed the password table to be 41 characters long rather than the given 16. At 16 it was truncating the password created by MySQL. After setting it to 41 passwords could be properly read.

Not a bad article, but security appears not to have been considered. Page 3 uses raw data from the user and inserts it into both a SELECT statement and an INSERT statement, giving an attacker the opportunity to insert malicious SQL to create his own account, to gain unauthorised access or to cause damage to existing data.

Readers are advised to read up on SQL injection before making use of the information in this article on a live server.

I can´t get the sessions to work. I can log in but when I follow a link to another page where login also is required I need to type in my username and password again!

Where in the code does it tell to redirect the user to protectedpage.php? It it automatically because it detects the <?include protectedpage.php?> in the web page.

The Signup page worked wonderfully I received my new password by email but when I try to login the system notifies me that I entered the wrong username/password. I verified my db and my password is hashed so its fine.
Any thoughts??

in a system where there r 2 types of users say adminstrator and guest, if v r using this type of setting session variables , then while the administrator is logged on, any user who knows the address can view those pages. how do v get around this prolem?

Add another column in the database called userlevel or something
if admin value = 1 if normal user value = 0

then you check admin-pages with this:

if($_SESSION['userlevel'] == 1) {
} else {
echo 'I don\\'t think so!';

of course you have to set the session first, but it shouldn’t be a problem.

Something like that.