#1
  1. Certified m0nk3y!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Posts
    437
    Rep Power
    18

    Membership system using sessions and cookies


    Hi, I am currently developing a membership system that allows members to register and when they are registered, they can then access other parts of the site and let them do specific tasks, such as submit news, change their information, etc.

    I already have done that but i wanted to now incorporate sessions instead of using cookies like i have been using.

    When i used cookies, the actual login script contained this:
    PHP Code:
    function docookie($setuid$settype$setuname$setpass) {
        
    $info base64_encode("$setuid:$settype:$setuname:$setpass");
        
    setcookie("member","$info",time()+15552000,"/");
    }

    function 
    login($uname,$pass)
    {

        global 
    $dbi$HTTP_REFERER;

        
    $result sql_query("SELECT uid,type,uname,pass FROM members WHERE uname='$uname'"$dbi);

        if(
    sql_num_rows($result$dbi)==1) {

            
    $setinfo sql_fetch_array($result$dbi);

            if(
    md5($pass) == $setinfo[pass]) {

                
    docookie($setinfo[uid], $setinfo[type], $setinfo[uname], $setinfo[pass]);
                
    Header("Location: $HTTP_REFERER");

            } else {

                
    Header("Location: $HTTP_REFERER");

            }

        } else {

            
    Header("Location: $HTTP_REFERER");

        }


    That has all been working fine, but im concerned about the security issues. This is where sessions come in. But i dont really know how to get the sessions to stay alive when the browser is closed and/or to get much of the sessions going anyways.

    How would the login script be changed to use sessions??
    I also want to be able to keep the current session alive or be able to not have to make users login each time the browser is opened. Could i store the sessions variable in mysql db or are cookies better?

    One last question, what variables would i register, the members id, and username, or username or just id ??? I also use user groups, so members are given a standard member account, then the admin(me) can then upgrade them to senior member or admin, etc. So would i also have to add another variable to the session with user level or access level, etc?
    ---------
    Linux...Macs.... there boring, they just work....... Windows users on the other hand have all the fun!!
    ---------
    PHP | MySQL | Apache | Zend
  2. #2
  3. No Profile Picture
    Senior Member
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Nov 2001
    Location
    Boston Ma.
    Posts
    1,529
    Rep Power
    0
    Hi


    If you are needing to (KEEP THE SESSION/LOGIN A LIVE) even after closing the browser............

    Then you will need to use (sessions, and cookies)


    Just set the session id in your (cookie) using MD5


    PHP Code:


    function get_session_id($sessid$sesstime$ip$db) {

        
    $ct time() - $sesstime;
        
    $sql "SELECT uid FROM sessions WHERE (sid = $sessid) AND (sess_start > $ct) AND (ip = '$ip')";
        
    $result mysql_query($sql$db);
        if (!
    $result) {
            echo 
    mysql_error() . "<br>\n";
            die(
    "Error doing DB query in get_session_id()");
        }
        
    $row mysql_fetch_array($result);
        
        if (!
    $row) {
            return 
    0;
        } else {
            return 
    $row[uid];
        }
        
    }

    function 
    new_session($sessid$db) {
            
    $kt "1800";
            
    $et = (time() + $kt);
        
    $nt = (string) time();
        
    $sql "UPDATE sessions SET sess_start=$nt, sess_end=$et WHERE (sid = $sessid)";
        
    $result mysql_query($sql$db);
        if (!
    $result) {
            echo 
    mysql_error() . "<br>\n";
            die(
    "Error doing DB update in new_session()");
        }
        return 
    1;

    }

    if(isset(
    $HTTP_COOKIE_VARS[$sesscookiename])) {
        
    $sessid $HTTP_COOKIE_VARS[$sesscookiename];
        
    $uid get_session_id($sessid$sesstime$REMOTE_ADDR$db);

        if (
    $uid) {
           
    new_session($sessid$db);

    // now get the user info, and do whatever
            
    }
           } else {
    // send them to login



    F!
  4. #3
  5. Certified m0nk3y!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Posts
    437
    Rep Power
    18
    ok ty for the code, but i had a couple of probs, how to do set the session or in simple terms, hwo the hell do u use this script, lol. I have no idea how to start the script going, such as loggin, what do i set to login in ??

    Also shouldnt there be an INSERT query to start the session in the db?
    ---------
    Linux...Macs.... there boring, they just work....... Windows users on the other hand have all the fun!!
    ---------
    PHP | MySQL | Apache | Zend
  6. #4
  7. No Profile Picture
    Senior Member
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Nov 2001
    Location
    Boston Ma.
    Posts
    1,529
    Rep Power
    0
    Hi


    Give me a hour, and I will write a script for you, showing you everything, + I will explain it all............



    F!
  8. #5
  9. Certified m0nk3y!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Posts
    437
    Rep Power
    18
    oh THANKYOU!!!!!!!!!!!!!!!!!!

    See people, this is a perfect example of a great person who is willing to sacrifice his time for you. I wish there were more people like u mate!

    TY, TY, TY!
    ---------
    Linux...Macs.... there boring, they just work....... Windows users on the other hand have all the fun!!
    ---------
    PHP | MySQL | Apache | Zend
  10. #6
  11. No Profile Picture
    Senior Member
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Nov 2001
    Location
    Boston Ma.
    Posts
    1,529
    Rep Power
    0
    Hi m0nk3y


    I was thinking...........

    instead of me writing all this, and you still would need to reformat it for your script, why don't you send me your script, and I will add the (secure login and session control to it).....

    Send the script, + plus your db structure........

    I only ask this, because each page in your service will have to be updated......

    +

    I have to make a login and lougout page/ kill the session, based on your current script!.........

    I do not mind doing it for you........

    Here is what I just started writing................

    what it does is log the user in, and sets a session control, using 2 keys, 1, the current session key, based on (IP ADDRESS), and the other the login session key ( cookie key)!

    PHP Code:


    The first thing we need to do, is build are (LOGIN/LOGOUT PAGES),
    the (login page) is called only if no (session or session cookie)
    is found for this user..........


    Lets begin...........

    PAGE NAME login.php

    <?php

    // first we include are include files
    // the include files hold all the functions
    // and set $vars for your service (login/logout)

    include('sf.php'); // holds all functions
    include('config.php'); // holds all set $vars
    require('sys.php'); // holds user prefs, and verify sessions

    $page "login"// used when you call the (include(head.php) page)

    // it is not a submit, so show the login form!

    if (!$submit) {

    // $to = the page we will forward the user to, after logging in!

     
    $to "index";

    // include head, allows you to use different (headers)
    // it is based on the $page value above!

     
    include('head.php');

    // login() is your login form that is in the (include(sf.php) file).....

     
    login(0$to);

    // include close, allows you to use different (page endings)
    // it is based on the $page $var above!

     
    include('close.php');

    } else {

    // it is a (SUBMIT), so lets check the (login form)

        
    if ($user == '' || $passwd == '') {
                  
    // no user or pass entered return the login form + error
                   
    $error 1;
        }
        else if (!
    check_user($user$db)) {
                 
    // no user by that name return the login form + error
                   
    $error 2;
        }
        else if (!
    check_pw($user$passwd$db)) {
                 
    // user found but password is wrong, return the login form + error
                   
    $error 3;
        } else {
                 
    // user and pass found, now check if user wants to stay logged in
                 // if so make the (auto login key and cookie), if not go to finish
                 // the login!
                   
    if($keep == 1){ 
            do {
            
    $rnumber md5(uniqid(rand()));
            } while(
    getname($rnumber));
            
    store_key($rnumber,$user); 
            
    setcookie("thekey",$rnumber,time()+2592000); 
        } 

              if (
    $error != "") {
                 
    // return the error and login form, based on what error was found, above!
                   
    include('head.php');
                   
    login($error$to);
                   include(
    'close.php');
             } else (
            
    // finish the login.............
            // set the new session key (current session) and the (cookie)       

        
    $userdata get_user($user$db);

        
    $sessid new_session($userdata[uid], $REMOTE_ADDR$sesscookietime$db);    

        
    set_cookie($sessid$sesscookietime$sesscookiename$cookiepath$cookiedomain$cookiesecure);

            
    $send "$main_url/$to";

          
    // OK everything is done, send them on there way!

              
    include('head.php');
           
    ?>
             <HTML>
                 <HEAD>
                <META HTTP-EQUIV="refresh" content="2;URL=<?php echo $send ?>">
                  <TITLE>WELCOME BACK <?php echo $userdata[fname?></TITLE>
                    <BODY BGCOLOR="<?php echo $bgcolor ?>" TEXT="<?php echo $color3 ?>">
                 <BR>
                   <BR>
                      <BR>
                        <CENTER><FONT SIZE="4">WELCOME BACK TO...<BR>
                     <BR></FONT>
                  <FONT SIZE="5" COLOR="<?php echo $color2 ?>"><B><?php echo $title ?></B><BR><BR></FONT>
                <FONT SIZE="4">Thank You For Logging In...</FONT></CENTER><BR>
               <BR>
         <?php
            
    include('close.php');

               }
             }
        
    ?>
    Like I said, I do not mind doing it, but having your script, will help me get it done faster!

    Fataqui@netscape.net


    F!
  12. #7
  13. Certified m0nk3y!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Posts
    437
    Rep Power
    18
    I have emailed my scripts to you so i hope u can do it, and thank you neways.
    ---------
    Linux...Macs.... there boring, they just work....... Windows users on the other hand have all the fun!!
    ---------
    PHP | MySQL | Apache | Zend

IMN logo majestic logo threadwatch logo seochat tools logo