search
HomeBackend DevelopmentPHP TutorialUsing PHP Session to Implement User Login Function_PHP Tutorial

Using PHP Session to Implement User Login Function_PHP Tutorial

Jul 21, 2016 pm 03:02 PM
cookiephpsessionsessionuseFunctionexiststorageaccomplishrightyesserveruserLogin

Compared with Cookie, Session is a session stored on the server side, which is relatively safe and does not have storage length limit like Cookie. This article briefly introduces the use of Session.

Since the Session is stored on the server side in the form of a text file, there is no fear of the client modifying the Session content. In fact, in the Session file on the server side, PHP automatically modifies the permissions of the Session file, retaining only system read and write permissions, and cannot be modified through ftp, so it is much safer.

For cookies, assuming we want to verify whether the user is logged in, we must save the username and password (possibly an md5 encrypted string) in the cookie and verify it every time the page is requested. If the username and password are stored in the database, a database query must be executed every time, causing unnecessary burden on the database. Because we can't do just one verification. Why? Because the information in the client cookie may be modified. If you store the $admin variable to indicate whether the user is logged in, when $admin is true, it means logged in, and when it is false, it means not logged in. After passing the verification for the first time, store $admin equal to true in the cookie, and there will be no need to verify next time. Yes, is this right? Wrong, if someone forges a $admin variable with a value of true, doesn't that mean he or she will immediately gain administrative rights? Very unsafe.

The Session is different. The Session is stored on the server side. Remote users cannot modify the contents of the Session file. Therefore, we can simply store a $admin variable to determine whether to log in. Set $admin after the first verification is passed. If the value is true, then determine whether the value is true. If not, go to the login interface, which can reduce a lot of database operations. And it can reduce the insecurity of passing the password every time to verify the cookie (Session verification only needs to be passed once, if you do not use the SSL security protocol). Even if the password is md5 encrypted, it can be easily intercepted.

Of course there are many advantages to using Session, such as easy control and user-defined storage (stored in the database). I won’t say much more here.

Does Session need to be set in php.ini? Generally not needed, because not everyone has the permission to modify php.ini. The default storage path of Session is the system temporary folder of the server. We can customize it and store it in our own folder. I will introduce this later. .

Start introducing how to create a Session. Very simple, really.
Start a Session and create a $admin variable:

Copy the code The code is as follows:

// Start Session
session_start();
// Declare a variable named admin and assign a null value.
$_SESSION["admin"] = null;
?>

If you use Seesion, or the PHP file wants to call the Session variable, you must do it before calling the Session To start it, use the session_start() function. You don’t need to set anything else, PHP automatically completes the creation of the Session file.
After executing this program, we can go to the system temporary folder to find the Session file. Generally, the file name is in the form: sess_4c83638b3b0dbf65583181c2f89168ec, followed by a 32-bit encoded random string. Open it with an editor and take a look at its contents:
Copy the code The code is as follows:

admin|N;

Generally the content has this structure:
Copy code The code is as follows:

Variable name | type:length:value;

and separate each variable with a semicolon. Some can be omitted, such as length and type.
Let’s take a look at the verification program, assuming that the database stores the username and md5 encrypted password:
login.php
Copy code Code As follows:

// After the form is submitted...
$posts = $_POST;
// Clear some whitespace symbols
foreach ($ posts as $key => $value) {
$posts[$key] = trim($value);
}
$password = md5($posts["password"]);
$username = $posts["username"];
$query = "SELECT `username` FROM `user` WHERE `password` = '$password' AND `username` = '$username'";
// Get query results
$userInfo = $DB->getRow($query);
if (!empty($userInfo)) {
// When the verification is passed, start Session
session_start();
// Register the admin variable for successful login and assign the value true
$_SESSION["admin"] = true;
} else {
die("Username and password are incorrect") ;
}
?>

We start the Session on the page that requires user verification to determine whether to log in:
Copy the code The code is as follows:

< ;?php
// Prevent global variables from causing security risks
$admin = false;
// Start the session, this step is essential
session_start();
// Determine whether to log in
if (isset($_SESSION["admin"]) && $_SESSION["admin"] === true) {
echo "You have logged in successfully";
} else {
/ / Verification failed, set $_SESSION["admin"] to false
$_SESSION["admin"] = false;
die("You do not have permission to access");
}
?> ;

Isn’t it very simple? Just think of $_SESSION as an array stored on the server side. Each variable we register is the key of the array, which is no different from using an array.
What should I do if I want to log out of the system? Just destroy the Session.
Copy code The code is as follows:

session_start();
// This kind The method is to destroy a previously registered variable
unset($_SESSION['admin']);
// This method is to destroy the entire Session file
session_destroy();
?>

Can Session set the life cycle like Cookie? Does having Session completely abandon Cookie? I would say that using Session in combination with Cookie is the most convenient.

How does Session determine the client user? It is judged by the Session ID. What is the Session ID is the file name of the Session file. The Session ID is randomly generated, so it can ensure uniqueness and randomness and ensure the security of the Session. Generally, if the Session life cycle is not set, the Session ID is stored in the memory. After closing the browser, the ID is automatically logged out. After re-requesting the page, a new Session ID is registered.

If the client does not disable cookies, the cookie plays the role of storing the Session ID and Session lifetime when starting the Session session.
Let’s manually set the lifetime of the Session:
Copy the code The code is as follows:

session_start();
// Save for one day
$lifeTime = 24 * 3600;
setcookie(session_name(), session_id(), time() + $lifeTime, "/ ");
?>

In fact, Session also provides a function session_set_cookie_params(); to set the lifetime of Session. This function must be called before the session_start() function is called:
Copy code The code is as follows:

// Save for one day
$lifeTime = 24 * 3600;
session_set_cookie_params($lifeTime);
session_start();
$_SESSION["admin"] = true;
?>

If the client uses In IE 6.0, there are some problems with the session_set_cookie_params(); function setting cookies, so we still call the setcookie function manually to create cookies.

What if the client disables cookies? There is no way, the entire life cycle is the browser process. As long as you close the browser and request the page again, you have to re-register the Session. So how do you pass the Session ID? Passed through the URL or through a hidden form, PHP will automatically send the Session ID to the URL. The URL is in the form: http://www.openphp.cn/index.php?PHPSESSID= bba5b2a240a77e5b44cfa01d49cf9669, where the parameter PHPSESSID in the URL is the Session. ID, we can use $_GET to obtain the value, thereby transferring the Session ID between pages.
Copy code The code is as follows:

// Save for one day
$lifeTime = 24 * 3600;
// Get the current Session name, the default is PHPSESSID
$sessionName = session_name();
// Get the Session ID
$sessionID = $_GET[$sessionName];
// Use session_id() to set the obtained Session ID
session_id($sessionID);
session_set_cookie_params($lifeTime);
session_start();
$_SESSION['admin'] = true;
?>

For virtual hosts, if all users’ Sessions are saved in the system temporary folder, it will make maintenance difficult and reduce security. We can set it manually Session file saving path, session_save_path() provides such a function. We can point the Session storage directory to a folder that cannot be accessed through the Web. Of course, the folder must have read-write attributes.
Copy code The code is as follows:

//Set a storage directory
$savePath = './session_save_dir/';
// Save for one day
$lifeTime = 24 * 3600;
session_save_path($savePath);
session_set_cookie_params($lifeTime);
session_start();
$_SESSION['admin'] = true;
?>

Same as the session_set_cookie_params(); function, the session_save_path() function must also be called before the session_start() function is called.
We can also store arrays and objects in Session. There is no difference between operating an array and operating a general variable. When saving an object, PHP will automatically serialize the object (also called serialization) and then save it in the Session. The following example illustrates this:
person.php
Copy the code The code is as follows:

class person {
var $age;
function output() {
echo $this->age;
}
function setAge($age) {
$this->age = $age;
}
}
?>

setage.php
Copy code The code is as follows:

session_start();
require_once 'person.php';
$person = new person();
$person->setAge(21);
$_SESSION['person'] = $person;
echo 'check here to output age';
?>

output.php
Copy code The code is as follows:

// Set the callback function to ensure that the object is rebuilt.
ini_set('unserialize_callback_func', 'mycallback');
function mycallback($classname) {
include_once $classname . '.php';
}
session_start();
$person = $_SESSION['person'];
// Output 21
$person->output();
?>

When we execute setup. php file, the setage() method is called, the age is set to 21, and the status is serialized and saved in the Session (PHP will automatically complete this conversion). When going to output.php, output this value, the object just saved must be deserialized, and because an undefined class needs to be instantiated during deserialization, we define a callback function later to automatically include the person.php class file, so the object is reconstructed , and obtain the current age value of 21, and then call the output() method to output the value.
In addition, we can also use the session_set_save_handler function to customize the calling method of Session.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/327932.htmlTechArticleCompared with Cookie, Session is a session stored on the server side, which is relatively safe and does not have a storage length limit like Cookie. , this article briefly introduces the use of Session. Thanks to Sessi...
Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
How can you check if a PHP session has already started?How can you check if a PHP session has already started?Apr 30, 2025 am 12:20 AM

In PHP, you can use session_status() or session_id() to check whether the session has started. 1) Use the session_status() function. If PHP_SESSION_ACTIVE is returned, the session has been started. 2) Use the session_id() function, if a non-empty string is returned, the session has been started. Both methods can effectively check the session state, and choosing which method to use depends on the PHP version and personal preferences.

Describe a scenario where using sessions is essential in a web application.Describe a scenario where using sessions is essential in a web application.Apr 30, 2025 am 12:16 AM

Sessionsarevitalinwebapplications,especiallyfore-commerceplatforms.Theymaintainuserdataacrossrequests,crucialforshoppingcarts,authentication,andpersonalization.InFlask,sessionscanbeimplementedusingsimplecodetomanageuserloginsanddatapersistence.

How can you manage concurrent session access in PHP?How can you manage concurrent session access in PHP?Apr 30, 2025 am 12:11 AM

Managing concurrent session access in PHP can be done by the following methods: 1. Use the database to store session data, 2. Use Redis or Memcached, 3. Implement a session locking strategy. These methods help ensure data consistency and improve concurrency performance.

What are the limitations of using PHP sessions?What are the limitations of using PHP sessions?Apr 30, 2025 am 12:04 AM

PHPsessionshaveseverallimitations:1)Storageconstraintscanleadtoperformanceissues;2)Securityvulnerabilitieslikesessionfixationattacksexist;3)Scalabilityischallengingduetoserver-specificstorage;4)Sessionexpirationmanagementcanbeproblematic;5)Datapersis

Explain how load balancing affects session management and how to address it.Explain how load balancing affects session management and how to address it.Apr 29, 2025 am 12:42 AM

Load balancing affects session management, but can be resolved with session replication, session stickiness, and centralized session storage. 1. Session Replication Copy session data between servers. 2. Session stickiness directs user requests to the same server. 3. Centralized session storage uses independent servers such as Redis to store session data to ensure data sharing.

Explain the concept of session locking.Explain the concept of session locking.Apr 29, 2025 am 12:39 AM

Sessionlockingisatechniqueusedtoensureauser'ssessionremainsexclusivetooneuseratatime.Itiscrucialforpreventingdatacorruptionandsecuritybreachesinmulti-userapplications.Sessionlockingisimplementedusingserver-sidelockingmechanisms,suchasReentrantLockinJ

Are there any alternatives to PHP sessions?Are there any alternatives to PHP sessions?Apr 29, 2025 am 12:36 AM

Alternatives to PHP sessions include Cookies, Token-based Authentication, Database-based Sessions, and Redis/Memcached. 1.Cookies manage sessions by storing data on the client, which is simple but low in security. 2.Token-based Authentication uses tokens to verify users, which is highly secure but requires additional logic. 3.Database-basedSessions stores data in the database, which has good scalability but may affect performance. 4. Redis/Memcached uses distributed cache to improve performance and scalability, but requires additional matching

Define the term 'session hijacking' in the context of PHP.Define the term 'session hijacking' in the context of PHP.Apr 29, 2025 am 12:33 AM

Sessionhijacking refers to an attacker impersonating a user by obtaining the user's sessionID. Prevention methods include: 1) encrypting communication using HTTPS; 2) verifying the source of the sessionID; 3) using a secure sessionID generation algorithm; 4) regularly updating the sessionID.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

DVWA

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

VSCode Windows 64-bit Download

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

mPDF

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),