Difference between revisions of "PHP114"

From mi-linux
Jump to navigationJump to search
Line 142: Line 142:
 
== Put all the parts together ==
 
== Put all the parts together ==
  
'''index.php'''
+
'''Put the following code at the top of every one of your pages, to automatically prompt a user who is not logged in, to login regardless of the page they try to access'''
 +
 
 
  <nowiki>
 
  <nowiki>
<?
 
 
   session_start();
 
   session_start();
 
   if (!isset($_SESSION["loggedIn"]))
 
   if (!isset($_SESSION["loggedIn"]))
Line 150: Line 150:
 
     include ("loginPage.html");
 
     include ("loginPage.html");
 
     exit;
 
     exit;
   }
+
   }</nowiki>
  
 
==Ready to move on?==
 
==Ready to move on?==
 
[[PHP198|PHP198 - Final Thoughts on PHP introduction]]
 
[[PHP198|PHP198 - Final Thoughts on PHP introduction]]

Revision as of 16:53, 20 March 2007

As discussed in the cookies chapter, achieving state in a web based system is critical to the functionality of most modern websites. Cookies are an ideal way to store a small piece of information, but when greater quantities of data (or sensitive data) is required to be held "in state", a more appropriate method would be to use sessions.

Basics of Sessions

Sessions are in essence, the same as cookies in that a series of variables and their associated content can be stored and retrieved between pages. The primary difference is that session variables are stored on the server whereas cookies are stored on the client. A number of advantages can be gained from storing variables on the server:

  1. Secure information (such as passwords) need not be sent backwards and forwards repeatedly between client and server in viewable text format
  2. Using cookies, larger quantities of variables slow down the request/response transaction, as each one needs to be sent with every page move on a given site

So how does the server know which variables belong to which user?

In order to match variables with users, a unique session id is generated and is stored as either a cookie on the browser (if cookie support is enabled) or is sent as part of the URL. Storing as cookies is preferable, as the session id is less likely to be seen by other users.

IMPORTANT NOTE: In order to use sessions, each PHP file that uses sessions has to have the PHP command:

session_start();

at the top of the file

A form based example

Create the following and name the file "page1.php"

<? session_start(); ?>
 <html>
   <head>
     <title>Sessions - Main Page</title>
   </head>
   <body>
 <?
   if (isset($_SESSION["firstName"]))
   {
     echo "<h1>Welcome ".$_SESSION["firstName"]." ".$_SESSION["lastName"]."</h1>";
   }
   else
   {
     echo "<h1>Welcome Visitor - please sign in</h1>";
   }
 ?>
 <p>If you have not visited the <a href="register.php">Registration Page</a>, please do so now.</p>
 </body>
 </html>

And create the registration page and name this "register.php"

<? session_start(); ?>
 <html>
   <head>
     <title>Sessions - Registration Page</title>
   </head>
   <body>
     <form method="post" action="<?= $_SERVER["PHP_SELF"]; ?>">
 <?
   $firstName=""; $lastName="";

   if (isset($_POST["updateDetails"])) // if a request to update the session has been received...
   {
     $_SESSION["firstName"]=$_POST["firstName"];
     $_SESSION["lastName"]=$_POST["lastName"];
     echo "<h1>UPDATED!</h1>";
   }

   if (isset($_SESSION["firstName"])) // if the names are already set in the session...
   {
     $firstName=$_SESSION["firstName"];
     $lastName =$_SESSION["lastName"];
   }
 ?>
     <p>Enter First Name: <input type="text" name="firstName" value="<?= $firstName; ?>"></p>
     <p>Enter Last Name: <input type="text" name="lastName" value="<?= $lastName; ?>"></p>
     <p><input type="submit" name="updateDetails" value="Update"></p>
     </form>
     <p><a href="page1.php">Back to page 1</a></p>
   </body>
 </html>

EXERCISE: try and add some session variables in your site.

Authentication and Sessions Example

Using sessions, we can check at the top of each of our PHP pages, whether or not a user has logged in. If they have not, we can prompt them to login before seeing any content, in a similar fashion to the way the WIKI works.

Design Concepts

1. We need a SESSION variable that holds an indicator of whether or not a user has logged in

2. We need to check that SESSION variable at the top of every page

2.1 If the user has logged in, we can proceed to the rest of the page

2.2 If the user has not logged in, we must prompt them to login

3. We need a login form

4. We need a page that authenticates the user and password

1. & 2. - Our SESSION logged in indicator

 if ($_SESSION["loggedIn"]==true)     // a user has logged in

 if (!isset($_SESSION["loggedIn"]))  // a user has not logged in - the SESSION variable has not been set

 $_SESSION["loggedIn"]=true;     // set when a user is authenticated

2.1 & 2.2 - Making decisions based on the indicator

 if (!isset($_SESSION["loggedIn"]))
 {
   include ("loginPage.html");
   exit;
 }
 // else user is logged in, show rest of page

3. The Login Form (loginPage.html)

 <form action="confirm.php" method="POST">
   <input type="text" name="username">
   <input type="password" name="password">
   <input type="submit" value="Login">
 </form>

4. The Authentication Script

authenticate.php

 <?
   if (isset($_POST["username"]))
   {
     if (($_POST["username"]=="myUser") && ($_POST["password"]=="myPassword)) // VALID LOGIN
     {
       $_SESSION["loggedIn"]=true;
       echo "Successful Login - <a href="index.php">Return to the Homepage</a>
     }
     else // INVALID LOGIN
     {
       echo "wrong username and password - click back to try again";
     }
   }
   else // NO USERNAME ENTERED
   {
     echo "username is blank - click back to try again";
   }
 ?>

Put all the parts together

Put the following code at the top of every one of your pages, to automatically prompt a user who is not logged in, to login regardless of the page they try to access

   session_start();
   if (!isset($_SESSION["loggedIn"]))
   {
     include ("loginPage.html");
     exit;
   }

Ready to move on?

PHP198 - Final Thoughts on PHP introduction