Hi Salahuddin,
Well there is a ton of information on user authentication already out there. I had a terrible time understanding how it all worked when I first went out to implement my first authentication scheme -- many of those tutorials were outdated or were not on the method that I wanted to use. So I'll throw in my two cents on how to do an authentication scheme using PHP sessions.
From the standpoint of security if you're doing anything that involves money you're going to need a rock solid authentication scheme. My advice if you're going that route is to use SSL to transmit user logins to the server and then store that information in a database which encrypts the password. You would also need a tough registration script with password validation -- to stop users from trying to use crappy passwords.
But as Nik said a complete tutorial including things like a registration script, email verification, alternative methods of authentication...etc would be very long and complicated to explain. So to avoid going into a very lengthy discussion I'm going to assume that you just need a basic authentication scheme with low security requirements.
Basically if sessions is the route you're going to take then the following would be an ok solution to implementing that.
session_start(); will initiate your session and must appear on every page that calls on session data. Sessions exist to fill the void where data does not persist from page to page. Sessions allow a $_SESSION variable created on any page calling session_start(); to be retrievable on any other page calling session_start();
session_start(); also creates a cookie that contains a unique id that allows PHP to associate session_data with a particular user. This session id may also be embedded in URLs to make up for user's who do not have cookies enabled. A thorough session implementation would include the session id within every url. Because the session_start(); function creates a cookie sent out with the HTTP response headers it must be included first in any script implementing it, before any HTML tags or script *output* and may not contain white space before the opening <?php delimiter.
http://www.php.net/session_start
This particular method of authentication requires a database. I'm going to assume also that you already know how to set up and use a database.
Code:
<?php
session_start();
if (!isset($_SESSION["logged_in"]))
{
$_SESSION["logged_in"] = (int) 0;
}
if (isset($_POST["username"]) && isset($_POST["password"]))
{
# The mysql password() function is a one-way encryption algorithm
# In order to check the password with the password function, it will need to have been
# stored in the database using the password function.
#
# e.g. INSERT INTO `users` VALUES('$username', password('$password');
$result = mysql_query("SELECT * FROM `users` WHERE `username` = '{$_POST["username"]}' AND `password` = password('{$_POST["password"]}')");
$_SESSION["logged_in"] = mysql_num_rows($result);
}
if (isset($_SESSION["logged_in"]) && $_SESSION["logged_in"] == 0)
{
echo "
<form method='post' action='{$_SERVER["PHP_SELF"]}'>
<input type='text' name='username' size='20' value='' /><br />
<input type='password' name='password' size='20' value='' /><br />
<input type='submit' name='do_action' value='Login' />
</form>";
} else {
# Now include a url to member only content!
echo "You have successfully logged in!";
}
?>
The following is an example of how you would implement the authentication on a another page after being logged in.
Code:
<?php
session_start();
if (isset($_GET["logout"]) && $_GET["logout"] == true)
{
unset($_SESSION["logged_in"]);
session_destroy();
}
if (isset($_SESSION["logged_in"]) && $_SESSION["logged_in"] == 1)
{
# Members only
# The following is an example of a logout url:
echo "<a href='{$_SERVER["PHP_SELF"]}?logout=1'>logout</a>";
} else {
echo "You are not logged in!";
# Include a link back to the login page or design your login system as such that
# it utilizes user-defined functions or included pages
}
?>
An example of creating a session_id for use in a URL:
With a standards compliant argument separator:
$session = "&PHPSESSID=".session_id();
With the normal:
$session = "&PHPSESSID=".session_id();
echo "<a href='some/page/in/your/site.php?{$session}'>";
http://www.php.net/session_id
There is also a php.ini directive that will automagically include the session id within every url on your site.
Like I said before this is just a very basic authentication scheme. And there are a multitude of ways that this can be done. Personally I use a very lengthly class, I have an extensive registration script, with email verification. I log user activity. All of which would take a very long time to explain and pages and pages of posts.
If this doesn't fit the bill then I suggest following Nik's advice and treading through the multitude of tutorials and articles that already exist on the subject.
Best of luck!
: )
Rich
:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::
url authenticate
