Studio Lounge | Adam Patterson | Web Design and Photography Edmonton

Php User Login With Sessions

This is a tutorial more or less on principle for sessions with PHP. I used this chunk of code in my Address Book and Spoke Calculator. The source code is available to download and its more or less together for you to look at. its not a working micro site. the components however should work.

Here is the work flow that i used:

Login Form
Check Login against Database
Allow if correct information was entered.
Deny if wrong information was entered
Once Logged-in allow user to log out.
If some one goes to a page in history test if the session is true, if not redirect them to log in.

Note: this article has been updated to reflect some of the viewers comments and thoughts.

Step one - Log-in Form:
We need some way to take the users information and pass it on to the next script that will decide if the user may enter.

Code (html)

<form name="form" method="post" action="manage-check.php">

  <fieldset>

  <legend>Member Login:</legend>

  <dl>

    <dt>

      <label for="myusername">Username:</label>

    </dt>

    <dd>

      <input name="myusername" type="text" id="myusername" />

    </dd>

    <dt>

      <label for="mypassword">Password:</label>

    </dt>

    <dd>

      <input name="mypassword" type="password" id="mypassword" />

    </dd>

    <dt>

      <input type="submit" name="Submit" value="Login"/>

    </dt>

  </dl>

  </fieldset>

</form>

Step 2 - MySQL Code:
We don’t need to get into this to much its fairly simple.

Code (sql)

DROP TABLE IF EXISTS `members`;

CREATE TABLE IF NOT EXISTS `members` (

  `id` int(4) NOT NULL AUTO_INCREMENT,

  `username` varchar(100) NOT NULL DEFAULT ”,

  `password` varchar(40) NOT NULL DEFAULT ”,

  PRIMARY KEY  (`id`)

);

Step 3 - Check:
Updated: This portion [sha1($_POST['mypassword'])] was added to reflect the comments posted bellow in regards to encrypting the password.

The sha1 takes data and converts it into an encrypted set of characters.

apple = d0be2dc421be4fcd0172e5afceea3970e2f3d940

So what i did was assign “$passwordHash” a new value by grabbing the password and using sha1 to get my new encrypted value.

After we submit the login information we need to search the data base and make sure that the information comes back with one user. you can have the same user name or the same password on a few users but unless its an exact match you wont get in. So we use a MySQL “SELECT”, and “WHERE” telling our script to look for a user name and password we then check the number of results returned, If its equal to 1 then its a match, If not you are rejected. We can check now many results came back by using “mysql_num_rows” this will be given a value and with a simple If statement we can see get our logic.

eg. if $numofrows==1 Then set the session, if not send them to a deny page.

In this little chunk of code we are starting a new session with the information containing our user name and password, once that is done we the redirect the user to there goal.

session_register(”myusername”);
header(”location:index.php?title=go”);

Code (php)
< ?php

include_once("config.php");

include_once("open-db.php");
// username and password sent from signup form

$myusername=$_POST[‘myusername’];

$passwordHash = sha1(strip_tags($_POST[‘mypassword’]));
$sql="SELECT * FROM members WHERE username=’$myusername’ and password=’$passwordHash’";

$rs = mysql_query($sql) or die ("Query failed");
// Mysql_num_row is counting table row

$numofrows = mysql_num_rows($rs);

// If result matched $myusername and $mypassword, table row must be 1 row
if($numofrows==1){

// Register $myusername, $mypassword and redirect to file success file

// Yes

session_register("myusername");

header("location:index.php?title=go");

}

else {

// No

header("location:index.pho?title=deny");

}

?>

Step 4 - Controller:
This is just as important as the checking script. Every page that is to be “Secure” has to have this piece of code in it. Its basically seeing if there is a session containing the user name set. and if so then you are safe. If not you will be bumped back to the Login page once again.

Code (php)

session_start();

if(!session_is_registered(myusername)){

header("location:index.php");

}

Step 5 - Log-out:
All you need to do is link to this piece of code and it will kill the session for you and bump you back to the login window.

Code (php)

< ?

session_start();

session_destroy();

header("location:index.php");

?>

Remember this is more fundamental and not an exact working flow here. learn from it. Don’t take it plop it in and expect everything to work. of course you are going to need to know how to create a Database and connect to MySQL. so if you can manage that im sure you can use this script.

Enjoy.

Resources:
== | means is equal to | 5==8 returns false
If
mysql_num_rows

Download Source.
Downloaded 543 Times.

Address Book
PHP Address Book is a free program for personal use. You can save a wide verity of information as well as p...
Lots of Changes
Ok, so i have a lot of "stuff" in the works. First of all my wife (Kristi) and i are expecting a baby boy in ...
Addressbook v2
This version of Address book has been completely redesigned and has had many functional improvements made, in...
Dpreview to be “acquired” by Amazon
Address Book 2.5

Add this too -

If you enjoyed this post, buy me a coffee!

17 Responses to “ Php User Login With Sessions ”

Pages: [2] 1 » Show All

Yogendra Mishra Said ,

July 11, 2008 at 5:49 am

I execute the the code and found that when I login in and click on back button from browser, it shows me again login page. Is it any method that I can prevent user to go back to login page until unless click on logout button
Adam Patterson Said ,

February 4, 2008 at 2:28 pm

fort - Great observation, people are doing a tutorial and there for if they for whatever reason have a table named members may have issues. There for delete it and create a new one.
fort Said ,

February 4, 2008 at 3:56 am

did anyone notice in the sql for the database

DROP TABLE IF EXISTS `members`;
CREATE TABLE IF NOT EXISTS `members` (
`id` int(4) NOT NULL AUTO_INCREMENT,
`username` varchar(100) NOT NULL DEFAULT �?,
`password` varchar(40) NOT NULL DEFAULT �?,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

drop table members if exists
then create table member if it doesn’t exits
of course its not going to exist you just dropped it!
forcerain Said ,

July 5, 2007 at 7:34 pm

1st of all strip_tags obliterates anything encased in whereas mysql_real_escape_string adds the escapes to prevent SQL injection and leaves things like intact in the database.

2nd of all strip_tags wasn’t really designed to prevent SQL injection attacks
Adam Patterson Said ,

May 9, 2007 at 1:25 pm

DeepFreeze - What sort of benefits would there be using “mysql_real_escape_string” instead of “strip_tags” don’t they doth do the same thing?
DeepFreeze Said ,

May 8, 2007 at 9:18 pm

Use mysql_real_escape_string against SQL-injection!
mosimo Said ,

March 15, 2007 at 3:45 pm

Adam Patterson:
If your going to be using md5 or sha1 then you dont decrypt the password.

You store the md5 encrypted password in the db, then when the user tries to log in the post script sends encrypts the pass the user typed in and sends the encrypted one and compares the two.

Pages: [2] 1 » Show All

17 Responses to “ Php User Login With Sessions ”

Leave a Reply

Recent Posts

Recent Comments

Tag Cloud

About