6 replies to this topic

[mikenco]

Hi

With out going into the technical aspects of each 'if', can anyone help guide me to see if I am on the right path to creating an include file to start/stop sessions based upon a users login status, when compared to an existing database of known users.

I hope to use this as an INCLUDE file at the head of ALL pages in which I wish to hide certain data IF the user is NOT logged in.

I have commented the code, which I hope will make what I am trying to do transparent.

Any input would be greatly appreciated.

Thanks,

Mike :)

<?php session_start(); 


// $layout is the top half of a div that will contain the login status bar (the closing tag is at the bottom of this include file.

$layout='

	<style type="text/css">

	body {

		font-family: Arial, Helvetica, sans-serif;		

		margin:0px;

	}

	.loginbar {

		font-size: 12px;

		text-align: right;

		padding-top: 5px;

		padding-right: 25px;

		height: 35px;

		width: 100%;

		color: #fff;

		background-color: #404040;

	}

	</style>

	<div class="loginbar">';


if ($_GET['logout']=='yes'){ // Has the user clicked the log out link?


	start_session();

	destroy_session();


} else { // No, so carry on..


		if !isset($_SESSION['lastname']){ //Is a session already running?

		

			if(!empty($_POST['user']) || !empty($_POST['pass'])) {

				#READ $_POST and check $_POST['username'] && $_POST['password'] against the database entries and get the respective 'FirstName' and 'LastName' of the user.

				# Set Session vars

				

				} else (empty($_POST['user']) || empty($_POST['pass'])) {

				echo $layout;

				# DISPLAY LOGIN FORM -> form will resend to this page

				}

				

		} else {

			echo $layout;

			echo "WELCOME ".$FirstName." ".$LastName;

			#display LOG OUT link. -> Link will send $_GET['logut='yes'] back to this page.

		}

}

?>

</div>


<?php /*

//////////////////////////////////////////////////////////////////////////////////////////////////////////

//In any pages that this inc file is used, I will attempt to block certain bits of information like this:


<?php if ($_SESSION["lastname"]){ ?>

<p style="color:#ff0000;">This is some text that you should only be able to read if you have logged in.</p>

<?php } ?> 


//////////////////////////////////////////////////////////////////////////////////////////////////////////

*/

?>

[logicPwn]

Hmm this code is really messy. Your on the right track though.

<?php


session_start();


switch ($_GET['action']) {

    case "login": {

            break;

        }

    case "logout": {

            session_destroy();

            break;

        }

}


if (!empty($_SESSION['lastname'])) {

    

}

?>

Cleaned it up a little. I didn't change any of the logic. The !empty() is the way I use to check also.

[Alexander]

logicPwn said:

[...]
if (!empty($_SESSION['lastname'])) {
[...]
The !empty() is the way I use to check also.

!empty can cause unnecessary user error, you may wish to use isset() wrapped around or before, or use isset($possiblyexists[0]) to check for nonemptiness (1+ characters) in a safer manner in one call if need be.

mikenco said:

I hope to use this as an INCLUDE file at the head of ALL pages in which I wish to hide certain data IF the user is NOT logged in.

You can always check a session variable such as $_SESSION['userlevel']. If it does not exist you can redirect them to the login page, there is no need to display the login form in place if you must include it with every file. You can as well check for if(isset($_SESSION['userlevel']) && $_SESSION['userlevel'] == "admin") on an administration page. You'll have to find what works right, there are plenty of well written login pages in open sourced software. We even may have a few tutorials here.

You have done a great job of prototyping the structure so far.

Alexander.

Edited by Alexander, 04 February 2012 - 05:32 AM.
error -> user error

[logicPwn]

empty($nonexistentornull) might throw a warning but does not stop the code. In the PHP documentation if it is null it will return true. So it does checking itself. Thus adding isset() will just add an unneeded call.

[Alexander]

A programmer error may be considered it accepting "0" as empty, which may in fact be a user level as an enumeration or definition (which happens to map to integer 0,) or logged_in being false with offline settings in the session or what have you.

isset() will not attempt to replace validation, and can break the if branch as to prevent excessive code execution if the variable or index were to not exist.

Alexander.

[logicPwn]

So looked at the PHP doc did we? Yes an integer of 0 returns empty. Back to subject though is that isset() is not the best function to call in this situation. Just my 2 cents. Every programmer is difference.

[Chessur]

The 0 will never return as an isset() because if true (1) it won't obviously return 0 (false). The thing with PHP is that it's dynamic and having empty() won't ever justify the use of isset(), which will always return either 0 or 1. I hope this helps.