Search code examples
phpsessionsession-state

Questions about PHP session based logins

I have a couple of questions about PHP session based logins. I have used the following tutorial to create a login form that connects to an existing user database that I have:

http://www.sourcecodester.com/tutorials/php/4341/how-create-login-page-phpmysql.html

I understand most of it, but I'd just like to query a couple of things that I do not understand:

//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];
session_write_close();
header("location: home.php");
exit();

The following code goes in the login_exec.php page - I think that this code is setting the session ID upon a successful login - am I correct?

What I do not understand is the reason for "SESS_MEMBER_ID", "SESS_FIRST_NAME" and "SESS_LAST_NAME" - why is that there and what is it doing precisely?

My second question. In "home.php" - when a user clicks "logout", they are directed back to index.php and somehow the session is being destroyed. How, exactly, is the session getting destroyed when clicking "logout".

Thirdly, is it possible to change "home.php" so that there is an if/else statement in place that says something like "if logged_in echo "yay, you are logged in" with a variety of logged in content, "else if not_logged_in echo "sorry, you are not logged in and cannot view this page, please go to the following page to log in". If it is possible, how would I do that?

Many Thanks

Solution 
  • //Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];

    The following code goes in the login_exec.php page - I think that this code is setting the session ID upon a successful login - am I correct?

    Yes, it sets the session, and also saves some member information into the session itself before saving it. That way, the information will be available without further querying the database. More, if the information is not present, we know that the user is not authenticated.

    You could also store the whole of $member

    $_SESSION['member'] = $member;

    but doing so saves the password also, and it's not good practice to have the password coming along hidden in the session in all subsequent pages. You can do this, though:

    unset($member['password']);    // $member is a copy of the database row, untouched.
$_SESSION['member'] = $member;

    My second question. In "home.php" - when a user clicks "logout", they are directed back to index.php and somehow the session is being destroyed. How, exactly, is the session getting destroyed when clicking "logout".

    Usually this is done with a redirect and a session_destroy.

    Thirdly, is it possible to change "home.php" so that there is an if/else statement in place that says something like "if logged_in echo "yay, you are logged in" with a variety of logged in content

    Yes, using the above $_SESSION:

    <?php
    if (!empty($_SESSION['SESS_MEMBER_ID']))
    {
?>

    Welcome, <?php print $_SESSION['SESS_FIRST_NAME']; ?>!

<?php
    } else {
?>
    Sorry, you need to <a href="login.php">LOGIN!</a>
<?php
    }
?>