PHP114

From mi-linux
Revision as of 15:51, 29 June 2016 by In9352 (talk | contribs)
Jump to navigationJump to search

Main Page >> Web Application Development >> Workbook >> Sessions

As discussed in the cookies chapter, achieving state in a web based system is critical to the functionality of most modern websites. Cookies are an ideal way to store a small piece of information, but when greater quantities of data (or sensitive data) is required to be held "in state", a more appropriate method would be to use sessions.

Basics of Sessions

Sessions are in essence, the same as cookies in that a series of variables and their associated content can be stored and retrieved between pages. The primary difference is that session variables are stored on the server whereas cookies are stored on the client. A number of advantages can be gained from storing variables on the server:

  1. Secure information (such as passwords) need not be sent backwards and forwards repeatedly between client and server in viewable text format
  2. Using cookies, larger quantities of variables slow down the request/response transaction, as each one needs to be sent with every page move on a given site

So how does the server know which variables belong to which user?

In order to match variables with users, a unique session id is generated and is stored as either a cookie on the browser (if cookie support is enabled) or is sent as part of the URL. Storing as cookies is preferable, as the session id is less likely to be seen by other users.

IMPORTANT NOTE: In order to use sessions, each PHP file that uses sessions has to have the PHP command:

session_start();

at the top of the file

A form based example

Create the following and name the file "page1.php"

<?php session_start(); ?>
 <html>
   <head>
     <title>Sessions - Main Page</title>
   </head>
   <body>
 <?php
   if (isset($_SESSION["firstName"])) {
     echo "<h1>Welcome ".$_SESSION["firstName"]." ".$_SESSION["lastName"]."</h1>";
   } else {
     echo "<h1>Welcome Visitor - please sign in</h1>";
   }
 ?>
 <p>If you have not visited the <a href="register.php">Registration Page</a>, please do so now.</p>
 </body>
 </html>

And create the registration page and name this "register.php"

<?php session_start(); ?>
 <html>
   <head>
     <title>Sessions - Registration Page</title>
   </head>
   <body>
     <form method="post" action="<?= $_SERVER["PHP_SELF"]; ?>">
 <?php
   $firstName = ""; $lastName = "";

   if (isset($_POST["updateDetails"])) { // if a request to update the session has been received...
     $_SESSION["firstName"] = $_POST["firstName"];
     $_SESSION["lastName"] = $_POST["lastName"];
     echo "<h1>UPDATED!</h1>";
   }

   if (isset($_SESSION["firstName"])) { // if the names are already set in the session...
     $firstName = $_SESSION["firstName"];
     $lastName = $_SESSION["lastName"];
   }
 ?>
     <p>Enter First Name: <input type="text" name="firstName" value="<?= $firstName; ?>"></p>
     <p>Enter Last Name: <input type="text" name="lastName" value="<?= $lastName; ?>"></p>
     <p><input type="submit" name="updateDetails" value="Update"></p>
     </form>
     <p><a href="page1.php">Back to page 1</a></p>
   </body>
 </html>

EXERCISE: try and add some session variables in your site.

Authentication and Sessions Example

Using sessions, we can check at the top of each of our PHP pages, whether or not a user has logged in. If they have not, we can prompt them to login before seeing any content, in a similar fashion to the way the WIKI works.

Design Concepts

1. We need a SESSION variable that holds an indicator of whether or not a user has logged in

2. We need to check that SESSION variable at the top of every page

2.1 If the user has logged in, we can proceed to the rest of the page

2.2 If the user has not logged in, we must prompt them to login

3. We need a login form

4. We need a page that authenticates the user and password

1. & 2. - Our SESSION logged in indicator

 if ($_SESSION["loggedIn"] == true)     // a user has logged in

 if (!isset($_SESSION["loggedIn"]))  // a user has not logged in - the SESSION variable has not been set

 $_SESSION["loggedIn"] = true;     // set when a user is authenticated

2.1 & 2.2 - Making decisions based on the indicator

 if (!isset($_SESSION["loggedIn"])) {
   include ("loginPage.html");
   exit;
 }
 // else user is logged in, show rest of page

3. The Login Form

loginPage.html

 <form action="confirm.php" method="POST">
   <input type="text" name="username">
   <input type="password" name="password">
   <input type="submit" value="Login">
 </form>

4. The Authentication Script

confirm.php

 <?php
   if (isset($_POST["username"])) {
     if (($_POST["username"] == "myUser") && ($_POST["password"] == "myPassword")) { // VALID LOGIN
       $_SESSION["loggedIn"] = true;
       echo "Successful Login - <a href=\"index.php\">Return to the Homepage</a>";
     } else { // INVALID LOGIN
       echo "wrong username and password - click back to try again";
     }
   } else { // NO USERNAME ENTERED
     echo "username is blank - click back to try again";
   }
?>

Put all the parts together

Put the following code at the top of every one of your pages, to automatically prompt a user who is not logged in, to login regardless of the page they try to access

   session_start();
   if (!isset($_SESSION["loggedIn"])) {
     include ("loginPage.html");
     exit;
   }

Ready to move on?

PHP198 - Final Thoughts on PHP introduction