Session Newbie

[tanbou1]

I am completely new to PHP. I am trying to create a project for myself in which to learn. I have modified a free authentication script to create a small site where my old high school classmates can get contact information and current events. I have everything working but cannot figure out how and where to place the PHP to make session handling work. I want it so that people aren't having to log over and over during the same visit. i've tried every concievable means i can think of to get this to work and it's not happening. any assistance would be much appreciated.

The way my scripts work are this:

User logs in here in this html page:

<HTML>
<HEAD>
<TITLE>UNTITLED</TITLE>
</HEAD>
<LINK href="authorize.css" type=text/css rel=stylesheet>
<script src=scripts.js></script>
<BODY>
<br><br><br>
Entrance for registered users, they will be refered to page haha.htm<br>
<form action=login.php method=post>
<input type=hidden name=entrance>
Login<input type=text name=username>
Password<input type=password name=password>
<input type=submit value=Enter class=button1>
</form>
<tr>
<td>
</BODY>
</HTML>



The user is then sent to this php login page. This page handles many functions of the site updating user data, adding users ect...this particular function being signed into is to display all entries in the database:



<LINK href="authorize.css" type=text/css rel=stylesheet>
<script src=scripts.js></script>
<?
require("setup.php");

$link=mysql_connect("", "$dblog", "$dbpass");
if (!$link) die ("Couldn't connect to MySQL");
mysql_select_db("$admin_db",$link) or die (mysql_error(). " : ".mysql_errno());



$referer=getenv("HTTP_REFERER");
if (!ereg("^$admin_url_tmp",$referer))
{
echo "<br><br><br><blockquote><p>Please, enter from <a href=$admin_url>$admin_url</a></p></blockquote>";
exit;
}


mt_srand(time()); //obiazatel'no, inache ne rabotaet r****mally
$result = mt_rand(1, 10000)/7; // disable cache



// to update user data
if (isset($enter))
{
include ('header.inc');
include("enter.php");
}

//to enter to display database page
if (isset($entrance))
{
include("entrance.php");
}


//to add user
if (isset($adduser))
{
include ('header.inc');
include ("adduser.php");
}



if (isset($show)) //show or remove users
{
if (($admin_login !=$admin_login_compare) || ($admin_password !=$admin_password_compare))
{ print "<br><br><br><blockquote><p>You are not authorized for this action. You must first make a username and password.</p></blockquote>" ; exit; }
else
include("showusers.php");
}


if (isset($forgotlogin))
{
include ('header.inc');
include ("forgotlogin.php");
}

?>



They are in turn sent to this script:



<?

$sql = "SELECT *FROM users WHERE login='$username' and password='$password'";
$result = mysql_query($sql) or die("Couldn't execute query.");
$num = mysql_numrows($result);

if ($num == 1) {

$day1=date(d);
$month1=date(m);
$year1=date(Y);
$last_date1=$year1."-".$month1."-".$day1;


$lstdate = "update users set last_date='$last_date1' where login='$username'";
$tmp = mysql_query($lstdate) or die("Couldn't execute query");


echo "Hello, $username<br>";
include ("$admin_page");

}

else if ($num == 0) {

echo "You are not authorized!"; // if user not exist

}
// exit;


?>

[Charter]

Hi. There are several ways to authenticate users: cookie, session, database, or some combination of these. Each method has some plus or minus to it, but maybe for starters a cookie authentication might be helpful. For every page that you want to protect, just include the script below as the first thing in the page.

If you would rather use sessions, there are some examples here. When your skills improve, you might consider using a combination of methods along with SSL, depending on whether you are looking for more security. The below example offers a basic authentication, and there is a logout script too, both of which you should put to the test.

PHP Code:

<?php

// basic cookie authentication

@ini_set("magic_quotes_sybase","0");
$testaccess = 0;

if (isset($_POST['username']) && isset($_POST['password']) && isset($_POST['entrance'])) {

    $username = $_POST['username'];
    $password = $_POST['password'];

    if (!get_magic_quotes_gpc()) {
        $username = addslashes($username);
        $password = addslashes($password);
    }

    $query = mysql_query("SELECT 1 FROM users WHERE login='$username' and password='$password'");

    if (mysql_num_rows($query) == 1) {
        $testaccess = 1;
        $cookieinfo = $username.":".$password.":".rand();
        $cookievals = base64_encode($cookieinfo);
        setcookie("classmates", $cookievals, time()+3600);
    }
    else {
        header("Location: http://www.domain.com/login.html");
        exit;
    }

}
elseif (isset($_COOKIE['classmates'])) {

    $classmates = $_COOKIE['classmates'];

    $cookievals = base64_decode($classmates);
    $cookievals = explode(":", $cookievals);

    $username = addslashes(stripslashes($cookievals[0]));
    $password = addslashes(stripslashes($cookievals[1]));

    $query = mysql_query("SELECT 1 FROM users WHERE login='$username' and password='$password'");

    if(mysql_num_rows($query) == 1) {
        $testaccess = 1;
    }
    else {
        header("Location: http://www.domain.com/login.html");
        exit;
    }

}

if ($testaccess == 0) {
    header("Location: http://www.domain.com/login.html");
    exit;
}

// protected page content here

?>

PHP Code:

<?php

// basic cookie logout

setcookie("classmates", "", time()-3600);
header("Location: http://www.domain.com/logout.html");
exit;

?>

Remember to remove any "word" wrapping from the above code.