Could someone please give me an introductory rundown on how to user login session control in PHP.

Not strong in that subject either, so try this one link:

link (http://www.php.net/manual/en/ref.session.php)

It explains what sessions do, how to call it, etc. and gives a list and description of all the session functions available.

duniyadnd

yeah that's a good recomendation. thanks :thumbsup:

the problem with sessions is that thier behaviour has changed, and depending on your PHP configuration you need to access session variables differently.

i.e. with register_globals=Off it is suggested that you do not use session_register() etc, in earlier versions of PHP you had to call session_start() before using a session, then in later builds session_register() would implicitly call session_start() IF session_auto_start was enabled in the PHP configuration ;)

If register_globals is OFF then you dont need to use session_register() , simply doing this

$_SESSION['session_var']=$some_value;

will register and set your session variables

but if register_globals is ON on your host (and it probably still is) then you can use as below, note this should work either way.


........................
session.php is included wherever you want to use session variables or protect a page by using sessions


<?php /*session.php*/
//session_start() is not strictly required !//
session_start();
/*
register the session variables you want to use
all this does is register the session variables it does not give them a value
*/
session_register("USER_NAME");
session_register("USER_ID");

//you can 'protect' the page here as well i.e.//
if($need_auth){
if(!isset($_SESSION["USER_ID"])){
header("location:login.php");
die();
}
}

?>



rough example login script to set session vars

<?
require 'session.php';
//conect to db etc//
$user=trim($_POST['user']);
$pass=trim($_POST['password']);
if($user && $pass){
$r = mysql_query("SELECT id,user,pass FROM authDB WHERE user='$user' && pass='$pass'")or die(mysql_error());
}else{
/*empty login*/
header("location:login.php?err=empty");
}
if(@mysql_num_rows($r)){
$yaks = mysql_fetch_row($r);
/*register & set session vars*/
$_SESSION["USER_NAME"] = $yaks[1];
$_SESSION["USER_ID"] = $yaks[0];
}else{
/*redirect to login for failures*/
header("location:login.php");
}
?>


now when you want to use those session variables or even protect a page you include session.php at the head of your page
you can now access the session variables as eg

<?
$need_auth=true;//if this is a protected page//
require 'session.php';

echo $_SESSION["USER_NAME"];
?>

firepages makes a very good point about whether using session_register() or $_SESSION. Since PHP 4.1, the manual states that you should *not* use session_register() if you use at the same time $_SESSION. As far as I understand this issue, it can lead to unpredictable results if you mix those two ways of session handling. Best it surely is to stick to one of these methods depending on your PHP configuration. Personally, I'm quite fond of $_SESSION, because you can treat that like an ordinary array you have read/write access to. Just remember that you need session_start() in this case becaues $_SESSION does not unlike session_register() indirectly call session_start().

If you intend to store objects in a session, see that you include the class definition prior to reading that object from the session again.

Oh, and just thing more: If you use header("location:" + $yourURL) to redirect the user away from a protected page, better call directly exit() after doing so. The redirect is simply a header sent to the user agent, and a malicious user could get your site with something else than an ordinary browser which performs the redirection. So if the self-made user-agent decides not to follow redirects, he will see the output of the protected page anyway. If you exit() or die() from your script, he doesn't get anything.

... okay ...

Slightly confused, but that's only because I'm reading it in abstraction; I'm sure it will make sense once I try it.

thanks all for the info :thumbsup: