tags:

views:

180

answers:

3

I have got 3 files with me.

login.html
login_check.php
welcome.php

In login.html when the username and password is entered and submit button is clicked login_check.php checks whether the username entry is in the database on the basis of $_POST['username'] and some SQL querry. Now I have put the following code at the bottom of login_check.php

login_check.php

header('Location:welcome.php')

But I want to pass $_POST['username'] from login_check.php to welcome.php so that I can make use of $_POST['username'] in my welcome page. Is there any way by which I can pass an argument like in the above case?

A: 

This can be done using QUERY_STRING (I am sure you have seen it before - these ?'s and &'s in the address bar), but you shouldn't do it as it's just insecure.

A session is the common way to store a username after login and authorization in general.

Col. Shrapnel
Yep, don't do it this way, use the $_SESSION super global.
Rich Bradshaw
+4  A: 

Use session instead because you would be showing the user's name everytime on the welcome page no matter which page you land at welcome page.

You can set the session on login_check page like:

session_start(); // this should be on top of login_check file

// this goes just before redirect line
$_SESSION['username'] = $_POST['username'];

Now on the welcome page, you can show username like:

session_start(); // this should be on top of welcome page.
echo `Welcome ` . $_SESSION['username'];
Sarfraz
A: 

The session should only be used for session data - not for data relating to a specific page transition. However recording the fact the user has been authenticated and the the username with which they authenticated is session data.

So while you shouldn't use session data to pass information from login.php to login_check.php, in login_check.php, if the authentication is succesful, then you should then store the authenticated username in the session.

While, as Col. Shrapnel says you could do:

header('Location:welcome.php?username=' . urlencode($_POST['username']));

This is trivial to circumvent - you just need to type welcome.php?username=admin into your browser to break the security.

If that's still not clear, consider the situation where the user has two browser windows open at the same time, navigating through different parts of the site (i.e. using same session data). If both browser submit data at the same time which is written to the session and you're not sure of the outcome, then you probably shouldn't be keeping the data in the session.

HTH

C.

symcbean
That will show the user name only for the first time that is coming from login_check page but that is not what he is looking for.
Sarfraz