User reg tut question

[shaunthomson]

Gidday

I'm working with your user system code, and I'm wondering what's the best practice way to check if the user is logged in on any extra pages you add?

Say you have a 'photos' page that's belongs to the user and the user must be logged in to see, how do you know that the user is logged in if they navigate to www.mysite.com/photos.php ?

Thanks for your time and help.

[Temor]

you would check if $_SESSION is set. If $_SESSION is set it means the user is logged in. If it's not, the user is logged out.
You're destroying the session when you log out, so there won't be a $_SESSION variable.

if(isset($_SESSION['user_id'])){
echo "Logged In";
}else{
echo "Not logged in";
}

[shaunthomson]

That makes sense Temor. So that check goes on each protected page.

Thanks mate.

[Temor]

Another thing you can do if you have a backend init file is add the check there.

if($_SESSION['logged_in']) === false){
header('Location: index.php');
}

this will redirect back to index.php if the user is not logged in.

Edit; This would obviously only work if every page except index is protected

[shaunthomson]

Yep - that makes perfect sense.

It's only some of the site (registered user specific) that I want users to be logged in to access, so I'll do the check on each protected page.

Do you have any tuts on adding extra session security, or can you recommend a good one?

Cheers mate.

[Temor]

I'm not really sure what you mean by session security.
As long as you clean any data submitted by users you should be okay.

[shaunthomson]

I'm looking for a good tut on preventing session hijacking and fixation.

[Temor]

Jacek made a tutorial on Session Hijacking for Phpacademy.

[jacek]

When they log in store their IP in the session

$_SESSION['login_ip'] = $_SERVER['REMOTE_ADDR'];

then you can check if they still have that IP and log them out if they don't

if ($_SESSION['login_ip'] != $_SERVER['REMOTE_ADDR']){
    // logout here.
}

Simple

EDIT: Damn ninjas.

[shaunthomson]

Nice - thank you mate.

[shaunthomson]

Regarding session_start(); - I have it in the init.inc.php file, and I'm including the init.inc.php file on any pages that need to be checked for logins etc.

I notice that I also have to have session_start(); on the pages that include init.inc.php, otherwise the session vars don't carry. I thought those pages would use the session_start(); that's in the init.inc.php file, but is this not the case?

Thanks for your time and help.

[jacek]

I notice that I also have to have session_start(); on the pages that include init.inc.php, otherwise the session vars don't carry. I thought those pages would use the session_start(); that's in the init.inc.php file, but is this not the case?

You should not have to have it in both files, maybe you were trying to use a session variable before the file was included ?

[shaunthomson]

I think you're right Jacek. That fixed the prob. Thanks mate.

[jacek]

I think you're right Jacek. That fixed the prob. Thanks mate.

No problem