php login user logic

Question

hey all,

so i've scrapped all the crappy tutorials that have never worked for one reason or another, and decided to roll out my own registration/login feature on my own, and to my surprise it actually works!

But what i don't get is how the logic behind keeping somebody logged in works! Like, once they've logged in, do i just $_POST their data to whatever other page they visit and once they're on the new page $_REQUEST that post data from the url and display a message like: "yeah, you're still logged in"?

i'm a bit confused atm, so I hope this question doesn't confuse you too.

thank you

Answer 1

Once they have logged in you generally have two options. Store their details or an authentication token (something that will help the PHP on the server know who is who) in a session or store it in a cookie. Both have their perks, but you will need to choose the one that works for you.

If you store data in a session, the user cannot access what you have stored, only your code can. This is helpful if you want to store say, their id or username. You can trust that it would always be their id and username, because they cannot modify it.

With cookies, the user can access and modify them because they are stored on their local machines. Because of this, you need to be a bit more sneaky and hash the users details, then verify who it is with some server-side logic. It's a little more complex.

A session implementation might look like this:

session_start(); //Make sure you call this at the top of EVERY page
if($passwordsMatch){
    $_SESSION['user'] = $_POST['username'];
}
//Now we have access to $_SESSION['user'] on every page.

On another unrelated page:

session_start();
print "Welcome, ".$_SESSION['user'];

Answer 2

Easiest way is to "keep users logged in" is to use PHP sessions. When you run session_start();, PHP sets cookie with SESSION_ID in users browser so it can identify this user. After that, you can set any data in $_SESSION array which will be saved in session between page requests.

Answer 3

The easiest imo is to use a session. Basically this is PHP automatically setting a cookie (or adding a piece to the url, depending your configuration) on the user system and automatically loading it on each pageview. You can then add data to the session and as long as the cookie didn't expire (or was deleted) and/or you don't destroy the session, you will have that data at your disposal on each pageview the user does.

Take a look here for a small intro to sessions: http://www.htmlgoodies.com/beyond/php/article.php/3472581/PHP-Tutorial-Sessions.htm

Answer 4

Let us have we have pages like login.php after_login_page1.php after_login_page2.php

You can follow these simple steps

1. Set $_SESSION['id'] = $userid //userid from db in login.php

2. always have session_start() in the successive pages like after_login_page1.php, after_login_page2.php

3. Check if(! isset($_SESSION['id'])){ header("Location: login.php"); }

4. at the logout.php page give $_SESSION['id']=''; and do a session_destroy()