Page 1 of 3

question about sessions

Posted: Fri Mar 09, 2012 9:45 am
by beginner123
This topic moved to PHP - Code forum by moderator. You are asking a question about PHP coding, not Security.
not sure if this is in the right section but since sessions are about security I thought this is the right place.
anyway I'm making a forum and everthing is working fine but I need to add sessions and I'm not sure where exactly to put the sessions :?
does it need to go in the sign in and sign out pages?
i have this code for the sessions:

Code: Select all

//creating session
session_start();  
if(isset($_SESSION['views']))
    $_SESSION['views'] = $_SESSION['views']+ 1;
else
    $_SESSION['views'] = 1;
echo "views = ". $_SESSION['views']; 

//ending session
session_start();  
if(isset($_SESSION['cart']))
    unset($_SESSION['cart']); 
I can post the any code if you need to see it

Re: question about sessions

Posted: Fri Mar 09, 2012 2:07 pm
by requinix
Normally you use sessions to do something, not just have sessions for the sake of having sessions.

So what are you trying to do with them?

Re: question about sessions

Posted: Fri Mar 09, 2012 3:01 pm
by beginner123
i need them so when a person signs in then closes the forum they shouldn't still be signed in. I want it to sign them out automatically

Re: question about sessions

Posted: Fri Mar 09, 2012 4:03 pm
by requinix
Store whatever information you need (like the username) in the session. Unless configured otherwise the session will be destroyed* when the user closes the browser.
If the information is there then you use it to know who's logged in and whatever. If not then you force them to log in. Thus you do this checking stuff whenever you need to know who the current user is - which should be just about everywhere.

* Technically no but effectively yes.

Re: question about sessions

Posted: Sat Mar 10, 2012 9:59 am
by beginner123
ok how do i store the username in a session? I just have start_session; in the signin page and session_start; session_destory in the signout page
I took out the code about the number of views
heres my sign in page:

Code: Select all

<?php 
session_start();  

//signin.php
include 'connect.php';
include 'header.php';

echo '<h3>Sign in</h3><br />';

//first, check if the user is already signed in
if(isset($_SESSION['signed_in']) && $_SESSION['signed_in'] == true)
{
	echo 'You are already signed in, you can <a href="signout.php">sign out</a> if you want.';
}
else
{
	if($_SERVER['REQUEST_METHOD'] != 'POST')
	{
		//the form hasn't been posted yet, display it
		echo '<form method="post" action="">
			Enter Username: <input type="text" name="userName" /><br />
			Enter Password: <input type="password" name="userPassword"><br /><br/>
			<input type="submit" value="Sign in" />
		 </form>';
	}
	else
	{
		$errors = array(); // declare the array for the errors
		
		if(!isset($_POST['userName']))
		{
			$errors[] = 'The username field must not be empty.';
		}
		
		if(!isset($_POST['userPassword']))
		{
			$errors[] = 'The password field must not be empty.';
		}
		
		if(!empty($errors)) 
		{
			echo 'A couple of fields are not filled in correctly<br /><br />';
			echo '<ul>';
			foreach($errors as $key => $value) //check array
			{
				echo '<li>' . $value . '</li>'; //make error list
			}
			echo '</ul>';
		}
		else
		{
			//mysql_real_escape_string is to keep the data save
			//the sha1 function hashes the password
			$sql = "SELECT 
					userID,
					userName,
					userLevel
					FROM
						users
					WHERE
						userName = '" . mysql_real_escape_string($_POST['userName']) . "' 
					AND
						userPassword = '" . sha1($_POST['userPassword']) . "'";
						
			$result = mysql_query($sql);
			if(!$result)
			{
				echo 'Something went wrong while signing in. Please try again later.';
				//echo mysql_error(); 
			}
			else
			{
				//the query returned an empty result so the data was wrong
				if(mysql_num_rows($result) == 0)
				{
					echo 'You have supplied a wrong user/password combination. <a href="signin.php">Please try again</a>.';
				
				}
				
				else
				{
					//sign in successful
					$_SESSION['signed_in'] = true;
					
					while($row = mysql_fetch_assoc($result))
					{
						$_SESSION['userID'] 	= $row['userID'];
						$_SESSION['userName'] 	= $row['userName'];
						$_SESSION['userLevel'] = $row['userLevel'];
					}
					if($_SESSION['userLevel'] == 1 || $_SESSION['userLevel'] == 0) //can only sign in if they are admin or normal user
					{
					echo 'Welcome, ' . $_SESSION['userName'] . '. <br /><a href="index.php">Return to home page</a>.<br/>';
					}
					
					else
					{
						//the userLevel is 3 which means they are banned
						$_SESSION['signed_in'] = NULL;
						//the user is banned - can't sign in
						echo 'You have been banned from this forum. You can no longer make topics or posts';
						
					}
					
				}
			
			}
		}
	}
}

include 'footer.php';
?>
and sign out page:

Code: Select all

<?php 
session_start;
session_destory;
//signout.php
include 'connect.php';
include 'header.php';

echo '<h2>Sign out</h2>';

//check if user is signed in first
if($_SESSION['signed_in'] == true)
{
	//all variables to null to sign out
	$_SESSION['signed_in'] = NULL;
	$_SESSION['userName'] = NULL;
	$_SESSION['userID']   = NULL;

	echo 'Succesfully signed out, thank you for visiting.';

}
else
{
	echo 'You are not signed in. Would you <a href="signin.php">like to</a>?';
}
include 'footer.php';


?>

Re: question about sessions

Posted: Sat Mar 10, 2012 10:15 am
by Celauran
It's session_start(), not session_start, and it's session_destroy(), not session_destory

Re: question about sessions

Posted: Sat Mar 10, 2012 10:54 am
by beginner123
ok thanks but it doesn't work. I got this message:
Fatal error: Call to undefined function session_destory() in C:\wamp\www\project\signout.php on line 3

Re: question about sessions

Posted: Sat Mar 10, 2012 10:56 am
by Celauran
Because it's destroy, not destory

Re: question about sessions

Posted: Sat Mar 10, 2012 2:34 pm
by beginner123
thanks what a stupid mistake :lol:
but its still doesn't sign the user out when I close the forum

Re: question about sessions

Posted: Sat Mar 10, 2012 7:13 pm
by califdon
Are you saying that you are logging their status in a database? Do you have a reason for doing that?

Re: question about sessions

Posted: Sun Mar 11, 2012 12:24 pm
by beginner123
I'm not sure what you mean. I just want to start a session when a user signs in and end it when the user logs off or exits the website

Re: question about sessions

Posted: Sun Mar 11, 2012 1:16 pm
by califdon
beginner123 wrote: its still doesn't sign the user out when I close the forum
That sounded to me like you might be maintaining their status in a database. If you're not doing that, what is it that causes you to think that they are still "logged in" after they have closed their browser? Are you using a client-side cookie to store their login status? The session on the server is effectively ended if they close their browser, because the next time they attempt to connect, it will be a different session.

Re: question about sessions

Posted: Sun Mar 11, 2012 1:36 pm
by beginner123
I know they are still logged in because I have a userbar that says hello 'username' when somone signs in. When I exit the website then go back in it still says hello 'username'. I didn't write any code for cookies so I don't ifs its storing their login status

Re: question about sessions

Posted: Sun Mar 11, 2012 2:31 pm
by Celauran
Are you closing the browser tab (session is still alive) or closing the browser altogether (session dies)?

Re: question about sessions

Posted: Sun Mar 11, 2012 4:37 pm
by beginner123
i want to kill the session for both