PHP Session Variables

This lesson is part of an ongoing User Authentication tutorial. The first part is here: User Authentication along with all the files you need.

On all pages of your site that you want to secure, you'll need to check if the user was successfully logged on or not. After all, what's to stop non members from simply typing the address of the page in their browsers? If you haven't set any checks, then the page will load, whether they are a member or not. To stop this happening, you can check the session variable that you set up on the login page. If you open up the page called page1.php (in your scripts folder), you'll see this complex code at the top: <?PHP session_start(); if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) { header ("Location: login.php"); } ?> This checks to see if the session called login is set, and that it's not a blank string. If it is, then the user is redirected to the login page. In the script, you first start the session: session_start(); Next comes a complex If statement: if () { header ("Location: login.php"); } In between the round brackets of the If statement, we have the NOT operator. This is followed by the inbuilt isset() function:

if ( !(isset( ) ) { } This says, "If NOT isset". Or, "if the value of the isset function is false ... " If the value in the round brackets of isset is indeed false, then the code between the curly brackets { } gets executed. That code, for us, was the redirection line. What we have between the round brackets of isset is this: ($_SESSION['login']) That's just our session variable from the login page. Is the user has logged in successfully, a value of 1 will be set inside of this variable. But we also need to check the session variable for a blank string. So we have and AND part to the statement: && $_SESSION['login'] != '' This says, "AND session login DOES NOT EQUAL a blank string". In other words, we check to see if a session variable has been set, and that it's not a blank string. If everything is OK then the user will see the HTML code below the PHP at the top. If it's not, you can send them somewhere else. But you need to put that PHP code at the top of every page that you want to protect. And it needs to go before any HTML code. You can't put it in the head section, otherwise you'll get "header" errors.

In the next part, you'll how to let your users log out.

Logins are not too complicated, but there are some specific pieces that almost all login processes need. First, make sure you enable the session variable on all pages that require knowledge of logged-in status by putting this at the beginning of those pages: session_start(); Next, when the user submits their username and password via the login form, you will typically check their username and password by querying a database containing username and password information, such as MySQL. If the database returns a match, you can then set a session variable to contain that fact. You might also want to include other information: if (match_found_in_database()) { $_SESSION['loggedin'] = true; $_SESSION['username'] = $username; // $username coming from the form, such as $_POST['username'] // something like this is optional, of course } Then, on the page that depends on logged-in status, put the following (don't forget thesession_start()): if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) { echo "Welcome to the member's area, " . $_SESSION['username'] . "!"; } else { echo "Please log in first to see this page."; } Those are the basic components. If you need help with the SQL aspect, there are tutorials-aplenty around the net.