2

When a user logs in to a website what method is the best to authenticate the session? For example does setting a variable in $_SESSION that is checked and if is set the user logged in, work? I was reading this tutorial and they have if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username'])) and if this returns true the user is shown the contents of the page. Is this how it's done?

Celeritas
  • 14,489
  • 36
  • 113
  • 194
  • Better question for stackoverflow I think – Brian Adkins Jan 18 '13 at 01:18
  • 1
    possible duplicate of [How to create sessions using PHP?](http://stackoverflow.com/questions/5191121/how-to-create-sessions-using-php), see also http://stackoverflow.com/questions/1535697/how-does-php-sessions-work-not-how-are-they-used – Wesley Murch Jan 18 '13 at 01:32

3 Answers3

4

Yup, that's the general idea.

After setting $_SESSION['LoggedIn'] to TRUE elsewhere (on the login page) you'll check the $_SESSION['LoggedIn'] to see if it's TRUE if so, display the content

Paul Dessert
  • 6,363
  • 8
  • 47
  • 74
  • Is it ok to have the value 'LoggedIn', shouldn't it be the hash of the password or something? Or is this not nescecary since sessions reside on the server so they are hard to tamper with? – Celeritas Jan 18 '13 at 01:41
  • You validate the user upon login. Then set the session to TRUE. The session (in theory) is hard to tamper with. – Paul Dessert Jan 18 '13 at 01:46
0

I agree with @relentless. However I prefer if you store the information inside the database.

Assuming that you have a table called user with a tinyint column logged_in. Whenever the user has successfully login update the column value to 1. Upon logging out change it to 0.

Community
  • 1
  • 1
Rashidi Zin
  • 266
  • 2
  • 4
  • 18
0

Yes and I would recommend you looking a little into PHP and some of the predefined variables like $_POST and $_SESSION here http://php.net/manual/en/reserved.variables.php . And functions like isset() and empty() and maybe some html forms.

june1992
  • 151
  • 2
  • 10