Reputation: 1
PHP session start is global
I'm pretty new to PHP and I wanted to make a user login system via MySQL. Right now I'm working on the login process. I have a form that accepts a username, and the action is this PHP script:
<?php
session_start();
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
?>
Then, the main page has this:
<?php
if(isset($_SESSION['username']))
echo 'TESTESTEST';
else {
echo '<form action="/login.php" method = "post">';
echo 'Username: <input type="text" name="username" method="post"/>';
echo 'Password: <input type="password" name="password" method="post"/>';
echo '<input type="submit" value="Submit" method="post" />';
echo '</form>';
}
?>
Basically, if the session is set from before, it won't display the username/password box, but rather a message saying TESTESTEST. However, when I showed this page to my friend he also had this message and no login box. How do I make it so there are different sessions stored for each user?
Upvotes: 0
Views: 5661
Answers (3)
Reputation: 137272
Sessions are stored per user, so you likely have another problem, such as not calling session_start() on each page. Let me outline a better approach to this problem.
There is a lot of good coding practices illustrated below. The isset() calls prevent E_STRICT warnings from being emitted. The login page will post to itself until the user gets it right, and then redirect to the next page. Any other page will check the authenticated session and if it is not found, redirect back to login page with an error message.
As noted below, parts of this code should be put in a global include file that you include on every page.
Good luck.
Login Page: /Login.php
<?php
session_start();
$username = trim(isset($_POST['username']) ? $_POST['username'] : '')
$password = trim(isset($_POST['password']) ? $_POST['password'] : '')
$error = trim(isset($_GET['error']) ? $_GET['error'] : '');
if(! empty($username) || ! empty($password))
{
// Authenticate if any username or password was submitted
// Ideally via query against MySQL
if($username == 'bob' && $password == 'bobpass')
{
$_SESSION['Authenticated'] = true;
$_SESSION['Expires'] = time() + 3600; // good for one hour
$_SESSION['username'] = $username;
// Now, redirect to login page
header('Location: /user/home.php');
exit();
}
else
{
// Oops, bad username/password...
$error = 'Invalid username and/or password';
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login Page</title>
</head>
<body>
<?php if($error) { ?>
<div style="color: red;">
<?php htmlspecialchars($error); ?>
</div>
<? } ?>
<form name="F" method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES); ?>" >
Username: <input type="text" name="username" value="<?php echo htmlspecialchars($username, ENT_QUOTES); ?>" />
Password: <input type="password" name="password" />
<input type="submit" value="Login" />
</form>
</body>
</html>
Any Other Page, needs this code to protect it... For example: /user/home.php
<?php
session_start();
// Following code checks for authenticated session, and either redirects back to
// login page, or allows user in. This should be put in a function and placed
// in a common include file.
if(isset($_SESSION['Authenticated']) && $_SESSION['Authenticated'])
{
//Ok, user was authenticated... Now, check expire time
if($_SESSION['Expires'] < time())
{
header('Location: /Login.php?error=Session+Expired');
exit;
}
// All still OK? Bump up the session expire time to one hour from now...
$_SESSION['Expires'] = time() + 3600; // good for one hour
}
... rest of page here ...
Upvotes: 2
Reputation: 72971
session_start() needs to be called at the top of every page. Otherwise using using $_SESSION variables will result in undefined behavior. As you're noticing.
Upvotes: 4
Reputation: 3532
you have to call session_start() on every page that access the $_SESSION. it will resume the last session for the user visiting the site. the data for that user won't be replaced until you call session_destroy()
Upvotes: 1