Nic Shulver, [email protected] Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML

Nic Shulver, [email protected]

Introduction to Sessions in PHPSessions

What is a session?Example SoftwareSoftware OrganisationThe login HTMLThe login PHPThe protected page headerTricks and TrapsSummary



When your website needs to pass user data from one page to another, it is time to start using PHP sessionsA normal HTML website will not pass data from one page to anotherAll information is forgotten when a new page is loadedThis makes it a problem for applications which require data to be remembered from one page to the next


Introduction to Sessions in PHPWhat is a session?

Sessions - a way to preserve data across sequential accessesEach visitor accessing your web site is assigned a unique idThis “session id” is usually stored in a cookie on the user sideIt may be propagated in the URL instead (if no cookie support)Session support allows you to register lots of variables to be preserved across requests



Before you can begin storing user information in your PHP session, you must first start the sessionWhen you start a session, it must be at the very beginning of your code, before any HTML or text is sentWhen you want to store user data in a session use the $_SESSION associative array. This is where you both store and retrieve session data


Introduction to Sessions in PHPExample software

The example software consists of these components:Login.htmthe main login pageLogin.phpchecks the username and passwordLogout.php kills the sessionProtected.php only accessible if already logged in


Introduction to Sessions in PHPSoftware organisation

Login.php

Checks username and password

Protected.php

Checks session

Shows content

Allows logout

LogOut.php

Destroys session info

Shows content

Allows login

Login.htm

User:

Pass:

Failed

No session


Introduction to Sessions in PHPA Note About Encryption

There are two ways to use the crypt function: Encrypt (scramble) our password:

$crypted _Pass = crypt($sPassword);

Check a supplied password against the encrypted one:

if (crypt($pass_from_form, $crypted_pass) == $crypted_pass)

{ echo (“success”)}


Introduction to Sessions in PHPThe login HTML - excerpt

…

<form action="login.php" method="post" name="form1">

Username: <input name="txtUsername" type="text" size="16" maxlength="16"><br>

Password: <input name="txtPassword" type="password" size="16" maxlength="16"><br>

<input name="btnLogin" type="submit" value="Log In">

</form>

…


Introduction to Sessions in PHPThe login PHP script

<?php// allows session info to be used on this pagesession_start();

// if this script isn't receiving form data, exit fastif(!isset($_REQUEST['btnLogin'])){ header("Location: login.htm");

session_write_close();exit();

}



// gets username and password as typed into the login form$user = $_REQUEST['txtUsername'];$pass = $_REQUEST['txtPassword'];

// three users and their encrypted passwords// 'fred' => 'orange', 'kiki' => 'apple', 'nic' => 'banana'// NB this info should really be grabbed from a DB$aValidUsers = array(

'fred' => '$1$oa0.Rb2.$vTEdgj6qfZQfO33JUAy5s0','kiki' => '$1$GZ5.XE3.$rKTdD7JfLUdnKoww4Mlqt/','nic' => '$1$Uo0.NP0.$iBCW9Lrf/yd3NreVkGgHW.'

);



// only checks the password if the user existsif( isset($aValidUsers[$user]) ){ // checks to see if the username/password pair is valid by encrypting

// the password and comparing against the real encrypted password

$sEncryptedPassword = $aValidUsers[$user];

if(crypt($pass, $sEncryptedPassword) == $sEncryptedPassword){ // if logged on okay, remembers user's name as session variable

$_SESSION['user'] = $user;header("Location: protected.php");session_write_close();exit();

}}



header("Location: login.htm");

session_write_close();

?>

The final bit of code is the default actionSo if the login script does not find a valid user, it

jumps to the login.htm pageAnd if the login script finds a valid user but not a valid

password, it also jumps to the login.htm page


Introduction to Sessions in PHPThe protected page header

Checks to see if $_SESSION['user'] has been defined:<?php

// allows session info to be used on this pagesession_start();// if there is no user session info, exit fastif( !isset($_SESSION['user']) ){ header("Location: login.htm");

session_write_close();exit();

}?><html> … the page goes here! … </html>


Introduction to Sessions in PHPTricks and traps

What does “session_write_close();” do?When we jump out of a page by writing a new header, session info may not get saved properlyExplicitly closing the session forces PHP to correctly save any changes to the session infoSession info may be readable by others!Depends how it’s storedDepends how it’s transmittedCan be forced to be secure (cookies, SSL)


Introduction to Sessions in PHPSummary

We have discussed:What sessions consist ofSome example software – forms and scriptsThe way the example code worksProtecting a page against casual browsersLimitations on securitySee PHP session documentation:

http://uk2.php.net/sessionhttp://www.devshed.com/c/a/PHP/Using-the-PHP-Cry

pt-Function/

Documents

Nic Shulver, [email protected] Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML