Embed

sessions

Document Sample

Shared by: cuiliqing

Tags

Stats

views:: 0
posted:: 10/28/2011
language:: English
pages:: 15

Public Domain

Introduction to Sessions in PHP

Sessions

What is a session?

Example Software

Software Organisation

The login HTML

The login PHP

The protected page header

Tricks and Traps

Summary

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

Sessions

When your website needs to pass user data

from one page to another, it is time to start

using PHP sessions

A normal HTML website will not pass data

from one page to another

All information is forgotten when a new page

is loaded

This makes it a problem for applications which

require data to be remembered from one page

to the next

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

What is a session?

 Sessions - a way to preserve data across sequential

accesses

 Each visitor accessing your web site is assigned a

unique id

 This “session id” is usually stored in a cookie on the

user side

 It may be propagated in the URL instead (if no cookie

support)

 Session support allows you to register lots of variables

to be preserved across requests

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

Sessions

Before you can begin storing user information

in your PHP session, you must first start the

session

When you start a session, it must be at the

very beginning of your code, before any HTML

or text is sent

When you want to store user data in a session

use the $_SESSION associative array. This is

where you both store and retrieve session

data

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

Example software

The example software consists of these

components:

Login.htm the main login page

Login.php checks the username and

password

Logout.php kills the session

Protected.php only accessible if already logged

in

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

A Note About Encryption

There are two ways to use the crypt function:

 Encrypt (scramble) our password:

$crypted _Pass = crypt($sPassword);

 Check a supplied password against the encrypted

one:

if (crypt($pass_from_form, $crypted_pass) ==

$crypted_pass)

{ echo (“success”)

}

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

The login HTML - excerpt

…

Username:

Password:

…

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

The login PHP script

'orange', 'kiki' => 'apple', 'nic' => 'banana'

// NB this info should really be grabbed from a DB

$aValidUsers = array(

'fred' => '$1$oa0.Rb2.$vTEdgj6qfZQfO33JUAy5s0',

'kiki' => '$1$GZ5.XE3.$rKTdD7JfLUdnKoww4Mlqt/',

'nic' => '$1$Uo0.NP0.$iBCW9Lrf/yd3NreVkGgHW.'

);

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

The login PHP script

// only checks the password if the user exists

if( isset($aValidUsers[$user]) )

{ // checks to see if the username/password pair is valid by encrypting

// the password and comparing against the real encrypted password

$sEncryptedPassword = $aValidUsers[$user];

if(crypt($pass, $sEncryptedPassword) == $sEncryptedPassword)

{ // if logged on okay, remembers user's name as session variable

$_SESSION['user'] = $user;

header("Location: protected.php");

session_write_close();

exit();

}

}

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

The login PHP script

header("Location: login.htm");

session_write_close();

?>

 The final bit of code is the default action

 So if the login script does not find a valid user, it jumps

to the login.htm page

 And if the login script finds a valid user but not a valid

password, it also jumps to the login.htm page

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

The protected page header

 Checks to see if $_SESSION['user'] has been defined:

… the page goes here! …

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

Tricks and traps

What does “session_write_close();” do?

When we jump out of a page by writing a new

header, session info may not get saved properly

Explicitly closing the session forces PHP to

correctly save any changes to the session info

Session info may be readable by others!

Depends how it’s stored

Depends how it’s transmitted

Can be forced to be secure (cookies, SSL)

Nic Shulver, N.A.Shulver@staffs.ac.uk

Introduction to Sessions in PHP

Summary

We have discussed:

 What sessions consist of

 Some example software – forms and scripts

 The way the example code works

 Protecting a page against casual browsers

 Limitations on security

 See PHP session documentation:

http://uk2.php.net/session

 http://www.devshed.com/c/a/PHP/Using-the-PHP-

Crypt-Function/

Nic Shulver, N.A.Shulver@staffs.ac.uk