[PHP] Login Script - Check if logged in.

Conrad11 · 6 Jul 2006 at 20:51

Hi there,

I am in the process of doing a login script which has just one user.

I am creating the script to check if the user is logged in to view the page and redirect them to the login page if they are not logged in and I was wondering if i need to do any more validation/verification type checks as I have seen a lot of scripts with a lot more.

This is what I have currently

Code:

<?php
session_start();
$logged_in = 0;	

if($_SESSION['username'] == "username" && $_SESSION['password'] == "password") {
	$logged_in = 1;		
}else{
	header("Location: index.php");
	exit;
}
?>

Do I need anything else?

Thanks...

toastyman · 6 Jul 2006 at 20:57

Thats currently checking whether the username OR the password exists in the session. It'd be more logical to use AND.

Conrad11 · 6 Jul 2006 at 21:03

oh yeah, thanks for pointing that one out :/ would have been bad if i had included that you use "&&" for AND right?

Anything else?

Inquisitor · 6 Jul 2006 at 21:43

Looks fine I think, would make more sense to use true and false for the $logged_in variable though

(not that it makes a huge amount of difference in PHP).

Conrad11 · 6 Jul 2006 at 22:10

Just to make sure, this is the thing that is included in all the restricted pages to make sure they are logged in.

Inquisitor · 6 Jul 2006 at 22:21

Yep, there's no problem with it that I can see. It's so simple that there's very little that could actually go wrong

It's when you start pulling details out of databases that you've got to be more careful.

Having said that, it's probably a good idea to call session_regenerate_id() as soon as the user has been logged in; this prevents sessions from being stolen.

Beansprout · 6 Jul 2006 at 22:27

Small alterations:

Code:

if($_SESSION['username'] === "username" && $_SESSION['password'] === "password") {
        session_regenerate_id();
	$logged_in = 1;	
} else {
        $_SESSION = array();
        session_destroy();
        header("Location: index.php");
}

Also, don't call session_start() until the user has submitted a user and pass which match - ie, don't create any sessions until someone's actually logged in (that's the only time you actually need them.)

Look into session fixation / session poisoning

Lastly, you could look at it the other way and if the session vars don't match the necessary values you simply kill the session and send them to the homepage, no need to bother with a $logged_in var. But that of course depends on your app's design and needs

Conrad11 · 6 Jul 2006 at 23:16

Beansprout said:
Also, don't call session_start() until the user has submitted a user and pass which match - ie, don't create any sessions until someone's actually logged in (that's the only time you actually need them.)

EDIT: Wait I think i see. Actually i dont, I doesn't work unless i ahve the session_start()

Beansprout said:
Look into session fixation / session poisoning

Thanks, will do.

Beansprout said:
Lastly, you could look at it the other way and if the session vars don't match the necessary values you simply kill the session and send them to the homepage,

Do you mean, if they don't match the password and usernames....blah...

Beansprout said:
no need to bother with a $logged_in var. But that of course depends on your app's design and needs

Yeah, i had that there for a specific reason, but I have found another way so i removed it.

Also:

What does the tripple "=" mean or what is it used for?

Inquisitor · 6 Jul 2006 at 23:24

Conrad11 said:
What does the tripple "=" mean or what is it used for?

It's similar to the == operator, but is used to perform strongly typed comparisons, that is to say that the types of the variables have to match as well as their content. For example, "5" == 5 and array() == false will both return true, however "5" === 5 and array() === false will not.