PHP114
As discussed in the cookies chapter, achieving state in a web based system is critical to the functionality of most modern websites. Cookies are an ideal way to store a small piece of information, but when greater quantities of data (or sensitive data) is required to be held "in state", a more appropriate method would be to use sessions.
Basics of Sessions
Sessions are in essence, the same as cookies in that a series of variables and their associated content can be stored and retrieved between pages. The primary difference is that session variables are stored on the server whereas cookies are stored on the client. A number of advantages can be gained from storing variables on the server:
- Secure information (such as passwords) need not be sent backwards and forwards repeatedly between client and server in viewable text format
- Using cookies, larger quantities of variables slow down the request/response transaction, as each one needs to be sent with every page move on a given site
So how does the server know which variables belong to which user?
In order to match variables with users, a unique session id is generated and is stored as either a cookie on the browser (if cookie support is enabled) or is sent as part of the URL. Storing as cookies is preferable, as the session id is less likely to be seen by other users.
IMPORTANT NOTE: In order to use sessions, each PHP file that uses sessions has to have the PHP command:
session_start();
at the top of the file
A form based example
Create the following and name the file "page1.php"
<? session_start(); ?> <html> <head> <title>Sessions - Main Page</title> </head> <body> <? if (isset($_SESSION["firstName"])) { echo "<h1>Welcome ".$_SESSION["firstName"]." ".$_SESSION["lastName"]."</h1>"; } else { echo "<h1>Welcome Visitor - please sign in</h1>"; } ?> <p>If you have not visited the <a href="register.php">Registration Page</a>, please do so now.</p> </body> </html>
And create the registration page and name this "register.php"
<? session_start(); ?> <html> <head> <title>Sessions - Registration Page</title> </head> <body> <form method="post" action="<?= $_SERVER["PHP_SELF"]; ?>"> <? $firstName=""; $lastName=""; if (isset($_POST["updateDetails"])) // if a request to update the session has been received... { $_SESSION["firstName"]=$_POST["firstName"]; $_SESSION["lastName"]=$_POST["lastName"]; echo "<h1>UPDATED!</h1>"; } if (isset($_SESSION["firstName"])) // if the names are already set in the session... { $firstName=$_SESSION["firstName"]; $lastName =$_SESSION["lastName"]; } ?> <p>Enter First Name: <input type="text" name="firstName" value="<?= $firstName; ?>"></p> <p>Enter Last Name: <input type="text" name="lastName" value="<?= $lastName; ?>"></p> <p><input type="submit" name="updateDetails" value="Update"></p> </form> <p><a href="page1.php">Back to page 1</a></p> </body> </html>
EXERCISE: try and add some session variables in your site.
Authentication and Sessions Example
Using sessions, we can check at the top of each of our PHP pages, whether or not a user has logged in. If they have not, we can prompt them to login before seeing any content, in a similar fashion to the way the WIKI works.
Design Concepts
1. We need a SESSION variable that holds an indicator of whether or not a user has logged in
2. We need to check that SESSION variable at the top of every page
2.1 If the user has logged in, we can proceed to the rest of the page
2.2 If the user has not logged in, we must prompt them to login
3. We need a login form
4. We need a page that authenticates the user and password
1. & 2. - Our SESSION logged in indicator
if ($_SESSION["loggedIn"]==true) // a user has logged in if (!isset($_SESSION["loggedIn"])) // a user has not logged in - the SESSION variable has not been set $_SESSION["loggedIn"]=true; // set when a user is authenticated
2.1 & 2.2 - Making decisions based on the indicator
if (!isset($_SESSION["loggedIn"])) { include ("loginPage.html"); exit; } // else user is logged in, show rest of page
3. The Login Form
loginPage.html
<form action="confirm.php" method="POST"> <input type="text" name="username"> <input type="password" name="password"> <input type="submit" value="Login"> </form>
4. The Authentication Script
confirm.php
<? if (isset($_POST["username"])) { if (($_POST["username"]=="myUser") && ($_POST["password"]=="myPassword)) // VALID LOGIN { $_SESSION["loggedIn"]=true; echo "Successful Login - <a href="index.php">Return to the Homepage</a> } else // INVALID LOGIN { echo "wrong username and password - click back to try again"; } } else // NO USERNAME ENTERED { echo "username is blank - click back to try again"; } ?>
Put all the parts together
Put the following code at the top of every one of your pages, to automatically prompt a user who is not logged in, to login regardless of the page they try to access
session_start(); if (!isset($_SESSION["loggedIn"])) { include ("loginPage.html"); exit; }