Upload
brice-phillips
View
219
Download
0
Embed Size (px)
Citation preview
Nic Shulver, [email protected]
Introduction to Sessions in PHPSessions
What is a session?Example SoftwareSoftware OrganisationThe login HTMLThe login PHPThe protected page headerTricks and TrapsSummary
Nic Shulver, [email protected]
Introduction to Sessions in PHPSessions
When your website needs to pass user data from one page to another, it is time to start using PHP sessionsA normal HTML website will not pass data from one page to anotherAll information is forgotten when a new page is loadedThis makes it a problem for applications which require data to be remembered from one page to the next
Nic Shulver, [email protected]
Introduction to Sessions in PHPWhat is a session?
Sessions - a way to preserve data across sequential accessesEach visitor accessing your web site is assigned a unique idThis “session id” is usually stored in a cookie on the user sideIt may be propagated in the URL instead (if no cookie support)Session support allows you to register lots of variables to be preserved across requests
Nic Shulver, [email protected]
Introduction to Sessions in PHPSessions
Before you can begin storing user information in your PHP session, you must first start the sessionWhen you start a session, it must be at the very beginning of your code, before any HTML or text is sentWhen you want to store user data in a session use the $_SESSION associative array. This is where you both store and retrieve session data
Nic Shulver, [email protected]
Introduction to Sessions in PHPExample software
The example software consists of these components:Login.htmthe main login pageLogin.phpchecks the username and passwordLogout.php kills the sessionProtected.php only accessible if already logged in
Nic Shulver, [email protected]
Introduction to Sessions in PHPSoftware organisation
Login.php
Checks username and password
Protected.php
Checks session
Shows content
Allows logout
LogOut.php
Destroys session info
Shows content
Allows login
Login.htm
User:
Pass:
Failed
No session
Nic Shulver, [email protected]
Introduction to Sessions in PHPA Note About Encryption
There are two ways to use the crypt function: Encrypt (scramble) our password:
$crypted _Pass = crypt($sPassword);
Check a supplied password against the encrypted one:
if (crypt($pass_from_form, $crypted_pass) == $crypted_pass)
{ echo (“success”)}
Nic Shulver, [email protected]
Introduction to Sessions in PHPThe login HTML - excerpt
…
<form action="login.php" method="post" name="form1">
Username: <input name="txtUsername" type="text" size="16" maxlength="16"><br>
Password: <input name="txtPassword" type="password" size="16" maxlength="16"><br>
<input name="btnLogin" type="submit" value="Log In">
</form>
…
Nic Shulver, [email protected]
Introduction to Sessions in PHPThe login PHP script
<?php// allows session info to be used on this pagesession_start();
// if this script isn't receiving form data, exit fastif(!isset($_REQUEST['btnLogin'])){ header("Location: login.htm");
session_write_close();exit();
}
Nic Shulver, [email protected]
Introduction to Sessions in PHPThe login PHP script
// gets username and password as typed into the login form$user = $_REQUEST['txtUsername'];$pass = $_REQUEST['txtPassword'];
// three users and their encrypted passwords// 'fred' => 'orange', 'kiki' => 'apple', 'nic' => 'banana'// NB this info should really be grabbed from a DB$aValidUsers = array(
'fred' => '$1$oa0.Rb2.$vTEdgj6qfZQfO33JUAy5s0','kiki' => '$1$GZ5.XE3.$rKTdD7JfLUdnKoww4Mlqt/','nic' => '$1$Uo0.NP0.$iBCW9Lrf/yd3NreVkGgHW.'
);
Nic Shulver, [email protected]
Introduction to Sessions in PHPThe login PHP script
// only checks the password if the user existsif( isset($aValidUsers[$user]) ){ // checks to see if the username/password pair is valid by encrypting
// the password and comparing against the real encrypted password
$sEncryptedPassword = $aValidUsers[$user];
if(crypt($pass, $sEncryptedPassword) == $sEncryptedPassword){ // if logged on okay, remembers user's name as session variable
$_SESSION['user'] = $user;header("Location: protected.php");session_write_close();exit();
}}
Nic Shulver, [email protected]
Introduction to Sessions in PHPThe login PHP script
header("Location: login.htm");
session_write_close();
?>
The final bit of code is the default actionSo if the login script does not find a valid user, it
jumps to the login.htm pageAnd if the login script finds a valid user but not a valid
password, it also jumps to the login.htm page
Nic Shulver, [email protected]
Introduction to Sessions in PHPThe protected page header
Checks to see if $_SESSION['user'] has been defined:<?php
// allows session info to be used on this pagesession_start();// if there is no user session info, exit fastif( !isset($_SESSION['user']) ){ header("Location: login.htm");
session_write_close();exit();
}?><html> … the page goes here! … </html>
Nic Shulver, [email protected]
Introduction to Sessions in PHPTricks and traps
What does “session_write_close();” do?When we jump out of a page by writing a new header, session info may not get saved properlyExplicitly closing the session forces PHP to correctly save any changes to the session infoSession info may be readable by others!Depends how it’s storedDepends how it’s transmittedCan be forced to be secure (cookies, SSL)
Nic Shulver, [email protected]
Introduction to Sessions in PHPSummary
We have discussed:What sessions consist ofSome example software – forms and scriptsThe way the example code worksProtecting a page against casual browsersLimitations on securitySee PHP session documentation:
http://uk2.php.net/sessionhttp://www.devshed.com/c/a/PHP/Using-the-PHP-Cry
pt-Function/