0

I am building a website that allows user to sign in. I currently have the register & login set up using jQuery -> php(on server) -> db and back, but now I am at lost on how to handle once the user logs in.

For example, if I wanted to call up user's data in member's page, how should I verify that the user is the authentic user? Should I save the id and password as variables/cookies(is it even safe?) and use that to get the user's info in the member's page? Or is there a better way to handle user's data more securely?

I tried looking all over the place but I couldn't find a good place where architecture was explained well so I'm turning to SO for help!

Thanks in advance!

nick.jw.park
  • 189
  • 3
  • 12
  • 1
    no no don't store credentials in cookies and never ever in url. someone might post a good answer , there is a session variable you generate and check each time with cookies. and dont store password in plain text too. also **read this :** [link](http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication/) – Abhinav Gauniyal May 09 '15 at 13:53
  • @AbhinavGauniyal thanks for a very helpful link! however unfortunately I'm still at a loss on how to handle the user's data :( – nick.jw.park May 09 '15 at 14:12
  • are you aware of php session? next can you generate a random hash with php? next can you set and delete cookies with php? you'll need to answer them before moving forward. – Abhinav Gauniyal May 09 '15 at 14:13
  • @AbhinavGauniyal no I am not aware of php session, yes I can generate a random hash with php (using it for passwords), and no I've never set/deleted cookies with php but I believe that should be easy to tackle. would php session be the starting point? – nick.jw.park May 09 '15 at 14:16
  • yes. read them: http://php.net/manual/en/book.session.php , http://php.net/manual/en/features.cookies.php , http://php.net/manual/en/faq.passwords.php . also if you aren't learning stuff and want to quickly deploy something , then use laravel , slim , lumen and other frameworks. They'll save you these kinds of trouble and are tried and tested. – Abhinav Gauniyal May 09 '15 at 14:18
  • @AbhinavGauniyal haha I would rather learn it - all the frameworks are kind of preventing me from learning the basics! php session seems to be the right direction! Thanks for the help! – nick.jw.park May 09 '15 at 14:23
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/77395/discussion-between-abhinav-gauniyal-and-apps4fun). – Abhinav Gauniyal May 09 '15 at 14:24

2 Answers2

0

Abhinav pointed me in the right direction, but just in case someone else stumbles across the same problem, correct starting place is the php session.

http://www.formget.com/login-form-in-php/ - an excellent tutorial on php login with sessions

nick.jw.park
  • 189
  • 3
  • 12
0

You should check the login status in every page.

During login save the user id in a session variable and use another one simply as a flag namely

$_session['user_id'] = 24; // user id in db
$_session['is_user_logged_in'] = 1; //set a flag

check the value of 2nd session variable in every page

session_start();    
if(!isset($_session['is_user_logged_in'] || $_session['is_user_logged_in'] !=1)){
      header('location:login.php');
    }

I suggest you to write this code in a separate file (login_check.php) and include it in every file 

include 'login_check.php'

following this procedure will help you to get login status and id of current logged in user wherever you want.

And in logout page you have to destroy all you session values by using

session_destory();
rahul
  • 76
  • 7