#native_company# #native_desc#

Best practices: Sessions Page 2

By Paul Booker
on August 19, 2002

To gain access to this secure internet website a user has to supply a username and password in a form
this then results in a php block being executed when the script actions itself :


 if(isset($_POST['submit']) ) {     // true if form has been submitted



connect_database("secure_online");    // obtain access to database   

    $SQL=" SELECT security_id FROM security


            WHERE username='$username' AND password= '$password' "


              $security = @mysql_query($SQL);

                 if ( mysql_num_rows($security) ) {

                     $row mysql_fetch_array($security);  

                         $security_id $row['security_id'];

                               $sess_security_id $security_id ;                     


                                      header("location: entry_page.php") ;


         // authorisation not successful show form again....                        





<form action = "<? echo $PHP_SELF;?>" method="post">

     ... rest of the form to collect username,password and submit button

<type="hidden" name="submit" value=1>



All other pages on this secure internet website then can check to see that authentication has
occured by checking if the primary key $sess_security_id has been registered to the session :


if( !session_is_registered('sess_security_id') ) {

            // the security_id key is registered with the session

            // on authorisation 

      header("location: index.html ");     // send to authentication page ..



A nice feature here is that nothing sensitive is registered to the session and the value stored
has the potential of reconstructing any security information the subsequent scripts might demand such
as checking access level privileges (U,X or P) ….


=" SELECT access_level FROM security 


           WHERE security_id='$sess_security_id'  "

  $security  mysql_query($SQL);

      $row mysql_fetch_array($security);  

          $access_level $row['access_level'];

             if($access_level == 'U') {

                     // content sutiable for access level U

} ..