Jump to content
Larry Ullman's Book Forums

Recommended Posts

with sessions i am completly lost...

 

so with this code here i can redirect a user if the user_id is not set right?

 

so is this making my data on the file secury so the only people who can access it are users that are logged in? so can i use this code for pages that i wish to hide from unregistered users?

 

session_start();

 

if (!isset($_SESSION['user_id'])) {

 

require_once ('includes/login_functions.

inc.php');

$url = absolute_url();

header("Location: $url");

exit();

 

}

Link to comment
Share on other sites

Yes. A session is really only a cookie file saved on the server, opposed to a normal cookie that is saved on the user's own computer. A cookie file is a simple file storing values like a variable in your scripts. The difference is that the variables found in a session cookie is valid as long as the session is "stamped for", while a variable only has a value when the script runs.

 

That means $_SESSION['user_id'] will have a value until:

1. The session expires (and is deleted)

2. You unset the value from a file

3. A session is regenerated (and the old one is not found)

 

This cookie has an unique random ID per user, and theoretically, only the same user will be able to use that session file. This means $_SESSION['user_id'] can have different value for you and me. This way, if a user HAS a session key named "user_id", you can be sure the user is logged in. (If you make sure only to add the value when a correct username/password combo is provided for that user)

 

What the script basically means is this:

- If a session key named "user_id" is NOT found, redirect them to the login site.

- If a user HAS a key named "user_id", the IF statement won't execute (and the user is not redirected)

 

Hope that helps out.

  • Upvote 2
Link to comment
Share on other sites

it has cleared things up a little but what about this random ID, how is everyones unique, i thought the "user_id" would be = to the user_id within the database, and that defines the sessions user!

 

i have also seen code like $_SESSION['user_id'] = 1;

 

lets say the sesssion user id is "12458" why you make this equal to one

this also means that every users session will be 1, why do they do this?

Link to comment
Share on other sites

Sorry about the confusion. It's the session file id that's unique and random to make sure each user has their own file. This way, the session system knows which file belong to which user. It's not really important to understand how that works. What's important is only to explain to you that you and I can have different values in that file.

 

The content in that file, for example the user_id, is not random. The value is what you set it to for that user. So if you set it equal to the user_id in the DB, that's the user_id value for that user.

 

The reason why you may see code like that, might be because of an extremely simple authentication system. Let's say you have a system where it's not critical to have unique users. Then it would work to set the User_id to 1 and just make sure every user actually have any user_id at all. (meaning they know the username/password combo) Other than that, I don't know. It's not really good code.

 

I think you get how this work man. Sound like that to me.

 

Here's what you do step by step. (I think you figured this out, but anyway)

1. On login, Use a query against the DB where you match the username and password.

2. If that is correct (a row is returned for the DB), you assign the user_id from the DB to the session.

3. You then check if the session key is set each time a script runs. ( if ( isset($_SESSION['user_id']) { /* Valid user */ } )

4. On logut, unset the session key. (and the user is logged out)

 

Good luck.

  • Upvote 2
Link to comment
Share on other sites

 Share

×
×
  • Create New...