0

I recently learned how to make a registration form and a login form, and I've done my first work with sessions. Yet I'm getting more confused every day.

Let's start with my login page at mysite/admin/login/index.php. The following code is near the top of the page:

<?php session_start(); ?>

A form on the page sends the person logging in to login-submit.php. The same session code is near the top of that page:

<?php session_start(); ?>

I also have a database-driven quiz at mysite/test/gw-intro1. After you select all the questions and click the Submit button, you're forwarded to mysite/test/grade.php, where you can see your score. If you're logged in, your username and score should also be inserted in the database.

But how are the pages in the test section (mysite/test) supposed to know I logged in at a different section (mysite/admin)? Do I need to put session_start() at the top of every page on my site?

In fact, my test page did somehow "know" if a user was logged in, though I haven't been able to get the username into the database, just the test scores. But something went wrong, and the test doesn't know when I'm logged in now.

My session_start() code also triggers endless error messages, though I'd better save that for another post. Right now, I'd just like to know how to make the pages at mysite/test/gw-intro-1 and mysite/grade.php "aware" that the person selecting answers is logged in.

halfer
  • 19,824
  • 17
  • 99
  • 186
  • 4
    _"Do I need to put session_start() at the top of every page on my site?"_ - yes, or in a file that is included at the start. – halfer Jan 27 '15 at 00:00
  • _"But how are the pages in the test section ... supposed to know I logged in at a different section?"_ - this doesn't usually matter in most apps, but if it does in yours, just save the location string (`mysite/test`) in a session variable when the user logs in. – halfer Jan 27 '15 at 00:01
  • Re-reading your post, I am not sure if **where** they logged in is of interest to you (i.e. on which page). If you just want a session-enabled page to know that you are logged in, and who you are, set a session var called `logged_in_user` (or whatever) to the username that has just authenticated. When the user logs out, `unset()` it. – halfer Jan 27 '15 at 00:04
  • @ halfer - Can you show me how to write the code for the session var you referred to? I don't know if I should post my code again, but you can see it @ http://stackoverflow.com/questions/28160281/best-way-to-echo-a-username-on-every-page-with-sessions In other news, I just posted the session_start() code at the top of the static index page at the head of my section, and it still doesn't work. –  Jan 27 '15 at 00:14
  • http://stackoverflow.com/questions/1535697/how-do-php-sessions-work-not-how-are-they-used – deceze Jan 27 '15 at 01:05
  • Added, below. This is rather broad though, and is basically "how do I use sessions?". I have a tutorial in my profile for this sort of thing - it shows how to apply best practices to login and session handling, in the context of a database application. – halfer Jan 27 '15 at 01:32
  • Sessions and corresponding cookies are handled per domain which means if you host multiple applications on the same domain and don't set path restrictions they will be available to all your applications on the same domain. –  Jan 27 '15 at 01:40

1 Answers1

0

As an addendum to my comments, on the login page. Some of this uses pretend methods that you'll need to swap out yourself, but it gives the general idea.

session_start();
if ($_POST)
{
    // The username supplied by the user
    $username = $_POST['username'];
    $password = $_POST['password'];

    // Get password hash from database based on $username
    $passwordHash = $database->getHash($username);
    $passwordHashMatch = $hasher->run($password) === $passwordHash;

    if ($passwordHashMatch)
    {
        $_SESSION['logged_in_user'] = $username;
        // Redirect to home page
    }

    // Password was wrong
    // Redirect to login.php?wrong=1 so it can render a message
}

All of your pages can check for $_SESSION['logged_in_user'] (e.g. in a navbar or menu) so that your signed in/out status can be rendered.

halfer
  • 19,824
  • 17
  • 99
  • 186