#native_company# #native_desc#

Implementing User Authentication and Session Management with PHP Page 2

By W. Jason Gilmore
on May 17, 2011

Adding Session Tracking

The above login mechanism works great; however, by the time the user is redirected to the home page, the website has, of course, forgotten all about the successful authentication! This is because HTTP is a stateless protocol, meaning there is no knowledge of what happened previously nor of what is about to happen. As a workaround, developers have devised a great solution known as session management, which can track a user’s activity as he navigates from one page to the next. Fortunately for you, PHP excels particularly well at this capability. Therefore, let’s revise the relevant part of the login.php script to use PHP’s session handling feature to start a new session and then assign the user’s username to a session variable. I’ve bolded the lines added to the revised part of the login script:
if ($stmt->num_rows == 1) {

  // Bind the returned user ID to the $id variable

  // Update the account's last_login column
  $stmt = $db->prepare("UPDATE accounts SET last_login = NOW() WHERE id = ?");
  $stmt->bind_param('d', $id); 


  $_SESSION['username'] = $username;
  // Redirect the user to the home page
  header('Location: http://www.example.com');
All that remains is to create the home page. The following code determines whether a session variable named username already exists, and if so provides a customized welcome message. If the variable doesn’t exist, a registration and login link is provided:
<?php session_start(); ?>

<?php if (isset($_SESSION['username'])) { ?>
<p>Welcome back, <?= $_SESSION['username']; ?>!</p>
<?php } else { ?>

  <a href="register.php">Create an account</a> | 
  <a href="login.html">Login to your account</a>

<?php } ?>


Obviously, this solution could use a bit of additional work, notably in terms of validating the login form and properly informing the user should the login attempt fail. However a pretty slick Ajax-driven validation feature could be added to the process in order to perform the validation in real-time without ever leaving the login page. Additionally, a logout feature should be added, preferably one which integrates with the login feature in order to either leave the user logged in for a significant period of time or automatically log the user off as soon as the browser window closes. Either way, the material provided in this tutorial should be enough to help you get started exploring these powerful features!

About the Author

Jason Gilmore is founder of the publishing, training, and consulting firm WJGilmore.com. He is the author of several popular books, including “Easy PHP Websites with the Zend Framework”, “Easy PayPal with PHP”, and “Beginning PHP and MySQL, Fourth Edition”. Follow him on Twitter at @wjgilmore.