So what happens after creating the login mechanism?

#1 (**permalink**) 06-25-2008

I have read a lot of tutorials on how to create a login mechanism (a
lot of which I found really useful). None of them however explain how
do you check if the user is or is not in fact logged in.

What is your implementation? What do you believe is a good practice
and what is not? Do you provide both sessions and cookies for temporal
and long-term logins..?

#2 (**permalink**) 06-25-2008

pek wrote:
> I have read a lot of tutorials on how to create a login mechanism (a
> lot of which I found really useful). None of them however explain how
> do you check if the user is or is not in fact logged in.
>
> What is your implementation? What do you believe is a good practice
> and what is not? Do you provide both sessions and cookies for temporal
> and long-term logins..?

That is because HTTP itself is a stateless protocol.

Each page resquest is an atomic session: you can have no idea at the
server end whether the request is from someone who has been staring at
the screen with your site displayed on it for a week, or has in fact
been on holiday in outer mongolia.

Hence the use of sessions, where cookies are used to carry state
information,stored in the browser,between page requests.

So in terms of whether a user is loggen in or not on THAT basis, if he
connects with a valid name/password cobo,he is loggen in until you
decide he isn;t.

If on the other hand you want to detect who is actually requesting a
page, the web logs generally tell you that if you use ,htXXXX type
access mechanism,and IIRC the login info is carried in a PHP global
varaiable somewhere. Can't remember.If you use sessions its caried in e
session info.

#3 (**permalink**) 06-25-2008

On Jun 25, 5:07*pm, The Natural Philosopher <a...@b.c> wrote:
> pek wrote:
> > I have read a lot of tutorials on how to create a login mechanism (a
> > lot of which I found really useful). None of them however explain how
> > do you check if the user is or is not in fact logged in.
>
> > What is your implementation? What do you believe is a good practice
> > and what is not? Do you provide both sessions and cookies for temporal
> > and long-term logins..?
>
> That is because HTTP itself is a stateless protocol.
>
> Each page resquest is an atomic session: you can have no idea at the
> server end whether the request is from someone who has been staring at
> the screen with your site displayed on it for a week, or has in fact
> been on holiday in outer mongolia.
>
> Hence the use of sessions, where cookies are used to carry state
> information,stored in the browser,between page requests.
>
> So in terms of whether a user is loggen in or not on THAT basis, if he
> connects with a valid name/password cobo,he is loggen in until you
> decide he isn;t.
>
> If on the other hand you want to detect who is actually requesting a
> page, the web logs generally tell you that if you use ,htXXXX type
> access mechanism,and IIRC the login info is carried in a PHP global
> varaiable somewhere. Can't remember.If you use sessions its caried in e
> session info.

Yes, I kinda know all this. My question was what is your actual code
that looks if a user is logged in or not?
Is it something likes this:

if ( isset($_SESSION['user'])) {
// he is logged in
} else {
// redirect to login
}

Or is it more advanced?

What is your code of checking..?

#4 (**permalink**) 06-26-2008

On Jun 25, 1:52 pm, pek <kimwl...@gmail.com> wrote:
> I have read a lot of tutorials on how to create a login mechanism (a
> lot of which I found really useful). None of them however explain how
> do you check if the user is or is not in fact logged in.
>
> What is your implementation? What do you believe is a good practice
> and what is not? Do you provide both sessions and cookies for temporal
> and long-term logins..?

You're confusing authentication and session management. If you try to
make them the same thing, and you allow users to login without
expiring for a long period of time you will have to maintain the user
session for that time - which is not going to scale well nor allow for
change management.

By all means allow your website to 'remember me' - but implement this
seperately from the session handling.

Then do authentication for any users who does not have a valid
session, if the user is authenticated, create a session or flag the
session as valid.

C.

#5 (**permalink**) 06-26-2008

On Jun 26, 3:42 pm, "C. (http://symcbean.blogspot.com/)"
<colin.mckin...@gmail.com> wrote:
> On Jun 25, 1:52 pm, pek <kimwl...@gmail.com> wrote:
>
> > I have read a lot of tutorials on how to create a login mechanism (a
> > lot of which I found really useful). None of them however explain how
> > do you check if the user is or is not in fact logged in.
>
> > What is your implementation? What do you believe is a good practice
> > and what is not? Do you provide both sessions and cookies for temporal
> > and long-term logins..?
>
> You're confusing authentication and session management. If you try to
> make them the same thing, and you allow users to login without
> expiring for a long period of time you will have to maintain the user
> session for that time - which is not going to scale well nor allow for
> change management.
>
> By all means allow your website to 'remember me' - but implement this
> seperately from the session handling.
>
> Then do authentication for any users who does not have a valid
> session, if the user is authenticated, create a session or flag the
> session as valid.
>
> C.

OK, maybe I didn't make myself clear.

My question is simply this:
What is your code to check wether a user is logged in or not.

#6 (**permalink**) 06-27-2008

pek schreef:
> On Jun 26, 3:42 pm, "C. (http://symcbean.blogspot.com/)"
> <colin.mckin...@gmail.com> wrote:
>> On Jun 25, 1:52 pm, pek <kimwl...@gmail.com> wrote:
>>
>>> I have read a lot of tutorials on how to create a login mechanism (a
>>> lot of which I found really useful). None of them however explain how
>>> do you check if the user is or is not in fact logged in.
>>> What is your implementation? What do you believe is a good practice
>>> and what is not? Do you provide both sessions and cookies for temporal
>>> and long-term logins..?
>> You're confusing authentication and session management. If you try to
>> make them the same thing, and you allow users to login without
>> expiring for a long period of time you will have to maintain the user
>> session for that time - which is not going to scale well nor allow for
>> change management.
>>
>> By all means allow your website to 'remember me' - but implement this
>> seperately from the session handling.
>>
>> Then do authentication for any users who does not have a valid
>> session, if the user is authenticated, create a session or flag the
>> session as valid.
>>
>> C.
>
> OK, maybe I didn't make myself clear.
>
> My question is simply this:
> What is your code to check wether a user is logged in or not.

Hi,

You cannot expect us to give you litteral code.
YOU are the one designing the authentication and the subsequent checking.

A simple example:
login.php
contains a form where a username and password is typed.
It posts to:

login_process.php
Here you check the passed username/password against a database or
something that holds this information.
if succesfull:

So you'll end up with something like:
[just a codesinppet]
session_start();
$username = $connection->qstr($_POST["username"]);
$password = $connection->qstr($_POST["password"]);
// The $connection->qstr is from ADODB db abstractionlayer.
// You might well use another to prevent SQL injection.
$SQL = "SELECT userid FROM tbluser WHERE ((username=$username) AND
(password=$password));"
$RS = $connection->getAll($SQL);
if (isset($RS[0])){
// OK
$_SESSION["userid"] = $rowDB["userid"];
header("Location: userpage.php");
exit;
} else {
echo "bad username and password. Try again.";
exit;
}

userpage.php
On this page you damnd a logged in user, so start this page with:
session_start();
if (!isset($_SESSION["userid"])){
echo "Sorry, your session expired, or you are screwing up somehow.";
exit;
}

Since you'll end up with the above checkroutine on every page, I advise
you to put the whole into a function, named eg: redirectIfNotLoggedIn().

Hope this helps a little.

So in short: You make some entry in $_SESSION on succesfull login, and
you check it everywhere where you demand a logged in user.

Regards,
Erwin Moller

#7 (**permalink**) 06-27-2008

On Wed, 25 Jun 2008 14:38:15 -0700 (PDT), pek wrote:
> Yes, I kinda know all this. My question was what is your actual code
> that looks if a user is logged in or not?
> Is it something likes this:
>
> if ( isset($_SESSION['user'])) {
> // he is logged in
> } else {
> // redirect to login
> }
>
> Or is it more advanced?

That's usually sufficient for casual "logged in" checking. I'd work
harder for financial information, but for a "is this user allowed to
comment on these pictures" kind of thing? It's probably all you need.

--
With a Dremel tool and a cut-off wheel, _everything_ takes a flat-blade
screwdriver.
-- Matt Roberds in the Monastery

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode