Simple Sessions Tutorial

Normally, a visit to a web page is static; that is, the Surfer requests a specific page by entering a URI in his browser. The request is sent to the server where the domain name is hosted, and the server responds by sending the requested page back to the Surfer.  Internally, the server may register statistics on the request to be displayed at a later date within the "Statistics Package"; but the server does not record keep any active data about who requested the page, what data and variables the page contained or any other useful data.  This is where a session comes in.

A session sets up the server so that a particular user keeps his data separated from other users data and the variables on one page can pass through to another page.  This is how shopping carts and similar pages work; as the Surfer goes from page to page, special variables are stored in a temporary location on the server and can be used on other pages as the Surfer surfs your web.

This tutorial is not meant to explain all of the terms, rather it is designed to illustrate the nuts and bolts of securing web pages by requiring a session be established.  Thus, if a Surfer goes to a specific page set with this security, they will be required to log into the system, if they fail the login they will not be able to view the contents of the page. 

You might say that .htaccess can do this for me, why bother? The answer is that .htaccess simply restricts the entire contents of a folder and sub-folders to a specific user.  A session can allow a user to go to different folders within the web and, can pass data from one page to another.  So let's get started:

What you need, and what we will use:

• MySQL database (or similar)
• PHP 4 or higher with Session Support Enabled

First create a table called "admin_users" in your database with the following fields:
NOTE: BE CAREFUL NOT TO NAME EITHER OF THESE VARIABLES THE SAME AS USED TO TCONNECT TO THE DATABASE.

• username varchar(25)
• userpassword  varchar(25)

Now add as many name/password combos you want to this table (i.e. populate it), Note: You could use a web based "Admin Tool" which allows your customers to manage the passwords like those found at Real Estate Web Admin or just populate it manually, either way make sure you have at least one username with an associated password.  That finishes up the database part of this tutorial.

I like to do things in modules, so I will create 4 small web pages and include them where necessary. I could have created a fifth page for the DB connection and included it, but chose not to for this example because it only needs to connect to the DB when testing to see if the un/pw combo is valid.

Create a php page and name it validate.php.  Here is the code for it:
<?php
session_start();
echo $_SESSION['valid'];
if ($_SESSION['valid']!='true') {
header("Location: http://yourdomain.com/login.php");
}
?>

Things to note in the code:

• session_start();  -- This should come at the beginning of each page you need to have protected.
• The next line tests to see if the variable$_SESSION[ 'valid'] is NOT SET.  (note the use of the Session variable)
• This is the key part of the validation page, if it is not valid, then the header redirects the Surfer to the login.php page

Now create the second file and call it login.php.  Here is the code for it:

<?php
session_start();
?>
<form action="testit.php" method="post">
Name: <input type="text" name="name">
Password: <input type="password" name="password">
<input type="submit" name="submit">
</form>

Short and sweet, my intent was to just display the nuts and bolts.  If you want to add pictures and other stuff, go for it.  Things to note in this code segment:

• session_start();  Again, this is the first thing on the page and is there just from habit.  Actually, this page does not need any php, nor does it need the php extension.  Using .html would be fine if you strip out the php code; and, remember to change your code in the page validate.php.
• The next chunk is a normal HTML form asking for a username and password (the only two fields used in our database).
• The action will send the name and password to testit.php

Let's now look at testit.php and see what happens when the username and password are sent over to it, here is the code:

<?php
session_start();
$name=$_POST["name"];
$password=$_POST["password"];
mysql_connect( 'your-db', 'username', 'password' ) or die ( 'Unable to connect to server.' );
mysql_select_db( 'db-name' ) or die ( 'Unable to select database.' );
$sql = "Select * From session Where name = '$name' and password = '$password'";
$result = mysql_query( $sql ) or die ( 'Unable to execute query.' );
$num = mysql_numrows( $result );
if ( $num != 0 ) {
$_SESSION["valid"] = true;
echo "<meta http-equiv='refresh' content='0;URL=index.php'>";
} else {
echo "no go";
echo"<meta http-equiv='refresh' content='5;URL=index.php'>";
}
?>

This is the largest of the 4 files, yet it is still very small.  It could be a couple lines smaller if you wanted to include a connection file instead of writing in the mysql connection stuff.  Normally, I do it that way, but then I would have had to use 5 files instead of 4 (*shrug).  Things to note in this segment:

• Once again session_start(); begins the code.
• The next 2 lines connect you to your MySQL server.
• The next 2 lines grab all the data from the table "users" that match the username and password the Surfer supplied on the login.php page.
• $num is set to reflect the number of rows found in the MySQL search.
• If it is NOT zero, that is if the Select statement found a match, then create a session variable and set it to true. (next step)
• $_SESSION["valid"]=true;  This line stores the variable $valid with it's value of "true" into a temporary memory area known as the SID (Session IDentification).
• Notice the use of the HTML meta refresh which takes the Surfer to index.php, this could be any file you want them to go to; in fact, if you wanted to get fancy, you could have passed the URL from the page that called validate.php at the beginning and passed that value through the other pages.  That would be a different tutorial, this one I want to keep short and sweet.
• If the MySQL search did not find a match, the else part runs.
• For simplicity I have the page display no go, then after a wait of 5 seconds go to the index.php page.  The pause of 5 seconds comes immediately after the content='  part in the Meta tag.  Notice the first time it was used, the pause was zero seconds.
• You could get fancy here also and after a few failures grab the Surfer's IP address and maybe block them from accessing the page.

So now you see how to add a variable to your session; simply assign a value to a variable as you normally do in PHP, then register it with this:
session_register("somevariable");

Now we will put the whole thing together by creating a new page, call it index.php (or whatever the default page name your server requires).  This page will be the starting template for any page you want to use in your session.  Here is the code:

<?php
session_start();
include("validate.php");
?>
<p>The body of your page goes here</p>

Again, this code should appear at the beginning of any page you use, before any HTML code is sent to the page. Things to note in this segment:

• session_start();  Once again, this is necessary on any page that uses a session.
• The next line calles the file validate.php which is where we started.  It "validates" the session and if successful the Surfer goes to the HTML at the bottom of the code.

Short, sweet and to the point.  Using the last segment of code at the beginning of any page within your "Session" will require the user to have permissions to view the contents of that page.