Nathan W. Ho
Silver TheosLogic LogoTheosLogic Productions
penguins
PHP/MySQL Sessions and Web Authentication
By Nathan Ho

Page: 1 2 3 4 5    

Okay, so now that we have sessions going properly, we'll look at my solution to the web authentication process. This is a list of the files that are necessary to make this work - explanation of the key points is made below. Please note that these files have information on them specific to my webserver environment (such as style sheets, and the generic database connection file includes) that you will need to change, should you use them.

NOTEThe above example User Admin page uses a slightly customized version of the sessions functions file (uadsess.inc.php), which does not include the connection variable information at the top. This is because I store the connection/account information in the User Admin file instead. Note as well that this page includes a PHP user-defined function for logging out, but you may wish to use a separate page (which has it's advantages) for this action. Here is a simple logout page example:

The first thing you want to do is decide where you want the login/authentication process to begin. Remember that once you start a session, you need to continue it (by including the 2 key lines at the top of each page), or it will become disconnected from the person's visit, and will be unaccessible (forcing a re-login to get at stuff again).

That being said, we'll start with the page that the visitor would login on:


  • User Admin & Login Example Page - This page contains a login form for authentication, and a user admin form if logged in with valid admin rights.

    The key variables in the login portion of this page are:

  • $_SESSION['valid_user'] - this variable contains the username of the person who has entered a valid login
  • $_SESSION['vrights'] - this variable contains the valid rights of the account that's logged in, expressed as an integer (higher number = more privileges)

    Please note that if you copy and want to use this file on your setup, that you will need to customize the variables used in the top of the file for your specific setup.

    The login form compares the two submitted values (username, password) to the stored information in the user_track table - note that the passwords are encrypted using one-way md5 "encryption" with the end "encrypted" values being compared, rather than storing the passwords in plain-text, which makes them more vulnerable to abuse.

    Once a valid login has occurred (authenticated against the stored information in the MySQL database), this page will then display a form that allows you to create and delete users, Note the last line of MySQL code in the database tables structure file - this will create an "admin" level account that will allow you to login to use this user admin page.

    You can also see here how I not only check to see if the person is logged in, but that they have the correct level of rights to view the page.

    Please note that this system is only as secure as your webserver and MySQL database!. Things such as enforcing good passwords, and using SSL are good examples of ways to help keep your system and data secure.

  • Logout Example Page - Logging out - or session_destroy

    Lastly, but not least, we want to give people the ability to log out without having to close all instances of their browser (this depends on whether you have a long timeout set, or if you use cookies). We do this by using the session command "session_destroy()", as in the above example page. You'll also notice that I make a call to the "sessgc()" function, which deletes old/out-of-date session information from the database.

    ...and that's it in a nutshell. If you have questions, can't figure something out, or think that something's missing, feel free to let me know!

    [ Back to the beginning ]
    Page: 1 2 3 4 5    
    •  
    © Copyright 2001-2012 TheosLogic Productions | Nathan Ho