Managing Users with PHP Sessions and MySQL

ArticleBot · July 26, 2004, 8:25pm

This is an article discussion thread for discussing the SitePoint article, “Managing Users with PHP Sessions and MySQL”

system · July 26, 2004, 8:25pm

Excellent!!

zinko · August 23, 2004, 7:08pm

Great tutorial!

caddyfixr · September 9, 2004, 3:02pm

This is a gem and I refer others to to it as often as I can. thanks Kevin.

Steve

tanker2004 · September 29, 2004, 1:41am

This is by far the best tutorial on this subject on the entire web!

Thank you

Tanker2004

system · October 20, 2004, 6:53pm

Great tutorial! Using Postgres as db but the fundementals learned are very, very helpful!

system · October 31, 2004, 2:16am

Excellent Tutorial, Exactly what I was looking for and was very easy to understand and figure out how to tweak to what I wanted to do…

arano · November 11, 2004, 4:01pm

This is the best and clearest description of sessions and for that matter a useful version of a login script that I have found, normally tutorials are very vauge and are not presented in an actual usable situation.

Good work

ARSA · January 18, 2005, 4:16am

Awesome material, very clear and very efficient. It helped me understand more about the sessions, and how to create the backbone for my access control thank you very much!

Jesse_tunderman · January 19, 2005, 5:42pm

First I want to thank you for this tutorial. Just what I was looking for!
Everything is working fine, but I’m trying to figure out how to make a logout button? I’ve done the following:

I’ve created a logout.php which the logout button is refering to:


$_SESSION = array(); 
session_destroy();
$login_page = "index.php";
header("Location: $login_page");

But when I open logout.php the following error appears:

Warning: session_destroy(): Trying to destroy uninitialized session in /home/jesse/www/sub/supplytool/logout.php on line 3

Warning: Cannot modify header information - headers already sent by (output started at /home/jesse/www/sub/supplytool/logout.php:3) in /home/jesse/www/sub/supplytool/logout.php on line 5

Could someone please help me out? Thanks in advance…

system · January 24, 2005, 1:19pm

Kevin Great Works!
It is very simple, clear, informative and comprehensive.
I can understand easily and try it on my production website http://www.suksesinternet.com.

However, Can you add some security measures to avoid “session hijacking” …please do write me email or post it on your website …

Cheers …

system · February 2, 2005, 5:58pm

You should do this:
<?php
//start the session
session_start();

//check to make sure the session variable is registered
if(session_is_registered(‘uid’)){

//session variable is registered, the user is ready to logout
session_unset();
session_destroy();
$login_page = “http://www.yoursite.com/”;
header(“Location: $login_page”);
}
else{

//the session variable isn’t registered, the user shouldn’t even be on this page
header( “Location: http://www.muzejpriboj.co.yu/my_site” );
}
?>

system · February 4, 2005, 6:41am

Warning: Cannot modify header information - headers already sent by (output started at /home/jesse/www/sub/supplytool/logout.php:3) in /home/jesse/www/sub/supplytool/logout.php on line 5

Could someone please help me out? Thanks in advance…

Add this in the first line of your code
ob_start();

system · March 25, 2005, 3:47am

I could not get this to work properly until I changed the password table to be 41 characters long rather than the given 16. At 16 it was truncating the password created by MySQL. After setting it to 41 passwords could be properly read.

system · April 4, 2005, 11:10pm

Not a bad article, but security appears not to have been considered. Page 3 uses raw data from the user and inserts it into both a SELECT statement and an INSERT statement, giving an attacker the opportunity to insert malicious SQL to create his own account, to gain unauthorised access or to cause damage to existing data.

Readers are advised to read up on SQL injection before making use of the information in this article on a live server.

system · July 16, 2005, 3:19pm

I can´t get the sessions to work. I can log in but when I follow a link to another page where login also is required I need to type in my username and password again!

rponte · August 16, 2010, 8:33pm

Where in the code does it tell to redirect the user to protectedpage.php? It it automatically because it detects the <?include protectedpage.php?> in the web page.
Thanks;
Ricky

rponte · August 16, 2010, 6:14pm

The Signup page worked wonderfully I received my new password by email but when I try to login the system notifies me that I entered the wrong username/password. I verified my db and my password is hashed so its fine.
Any thoughts??

system · April 2, 2006, 8:57am

in a system where there r 2 types of users say adminstrator and guest, if v r using this type of setting session variables , then while the administrator is logged on, any user who knows the address can view those pages. how do v get around this prolem?

jispa · April 2, 2006, 4:38pm

Add another column in the database called userlevel or something
if admin value = 1 if normal user value = 0

then you check admin-pages with this:


if($_SESSION['userlevel'] == 1) {
//ADMINS-STUFF HERE!
} else {
echo 'I don\\'t think so!';
}

of course you have to set the session first, but it shouldn’t be a problem.

Something like that.