Page 1 of 1

User reg tut question

Posted: Fri Jun 01, 2012 5:16 pm
by shaunthomson
Gidday

I'm working with your user system code, and I'm wondering what's the best practice way to check if the user is logged in on any extra pages you add?

Say you have a 'photos' page that's belongs to the user and the user must be logged in to see, how do you know that the user is logged in if they navigate to www.mysite.com/photos.php ?

Thanks for your time and help.

Re: User reg tut question

Posted: Fri Jun 01, 2012 5:45 pm
by Temor
you would check if $_SESSION is set. If $_SESSION is set it means the user is logged in. If it's not, the user is logged out.
You're destroying the session when you log out, so there won't be a $_SESSION variable.
if(isset($_SESSION['user_id'])){
echo "Logged In";
}else{
echo "Not logged in";
}

Re: User reg tut question

Posted: Mon Jun 04, 2012 10:44 am
by shaunthomson
That makes sense Temor. So that check goes on each protected page.

Thanks mate.

Re: User reg tut question

Posted: Mon Jun 04, 2012 2:39 pm
by Temor
Another thing you can do if you have a backend init file is add the check there.
if($_SESSION['logged_in']) === false){
header('Location: index.php');
}
this will redirect back to index.php if the user is not logged in.

Edit; This would obviously only work if every page except index is protected :)

Re: User reg tut question

Posted: Mon Jun 04, 2012 2:46 pm
by shaunthomson
Yep - that makes perfect sense.

It's only some of the site (registered user specific) that I want users to be logged in to access, so I'll do the check on each protected page.

Do you have any tuts on adding extra session security, or can you recommend a good one?

Cheers mate.

Re: User reg tut question

Posted: Mon Jun 04, 2012 3:06 pm
by Temor
I'm not really sure what you mean by session security.
As long as you clean any data submitted by users you should be okay.

Re: User reg tut question

Posted: Mon Jun 04, 2012 4:56 pm
by shaunthomson
I'm looking for a good tut on preventing session hijacking and fixation.

Re: User reg tut question

Posted: Mon Jun 04, 2012 5:10 pm
by Temor
Jacek made a tutorial on Session Hijacking for Phpacademy.


Image

Re: User reg tut question

Posted: Mon Jun 04, 2012 5:13 pm
by jacek
When they log in store their IP in the session
$_SESSION['login_ip'] = $_SERVER['REMOTE_ADDR'];
then you can check if they still have that IP and log them out if they don't
if ($_SESSION['login_ip'] != $_SERVER['REMOTE_ADDR']){
    // logout here.
}
Simple :)

EDIT: Damn ninjas.

Re: User reg tut question

Posted: Tue Jun 05, 2012 4:47 am
by shaunthomson
Nice - thank you mate.

Re: User reg tut question

Posted: Tue Jun 05, 2012 6:17 am
by shaunthomson
Regarding session_start(); - I have it in the init.inc.php file, and I'm including the init.inc.php file on any pages that need to be checked for logins etc.

I notice that I also have to have session_start(); on the pages that include init.inc.php, otherwise the session vars don't carry. I thought those pages would use the session_start(); that's in the init.inc.php file, but is this not the case?

Thanks for your time and help.

Re: User reg tut question

Posted: Tue Jun 05, 2012 1:31 pm
by jacek
shaunthomson wrote:I notice that I also have to have session_start(); on the pages that include init.inc.php, otherwise the session vars don't carry. I thought those pages would use the session_start(); that's in the init.inc.php file, but is this not the case?
You should not have to have it in both files, maybe you were trying to use a session variable before the file was included ?

Re: User reg tut question

Posted: Tue Jun 12, 2012 5:04 am
by shaunthomson
I think you're right Jacek. That fixed the prob. Thanks mate.

Re: User reg tut question

Posted: Tue Jun 12, 2012 1:41 pm
by jacek
shaunthomson wrote:I think you're right Jacek. That fixed the prob. Thanks mate.
No problem :D