Article
Managing Users with PHP Sessions and MySQL
Part Two: Controlling Access
The next step is to build the site itself, and while prompting the user for a username and password and matching the entered values to an entry in the MySQL database are fairly straightforward processes implementation-wise, the major challenge to be faced in the second half of this article is doing it in such a way that the user need only log in once during any particular visit to the site. As I shall show, the built-in support for PHP sessions are an excellent means to this end.
PHP Sessions
If you've never used the support for sessions that was added to PHP in version 4.0, you might be a little fuzzy on the question of what sessions actually are. Despite the complicated-sounding name, sessions are really just an easy method for creating variables that stick around for the duration of a user's stay at your site. Unless configured otherwise, a PHP session works by automatically setting a cookie in the user's browser containing a session ID, which is a long string of letters and numbers that serves to uniquely identify that user on your site for the duration of the visit. The browser then sends that cookie along with every request for a page from your site so that PHP can use it to identify which of potentially many sessions-in-progress the request belongs to. Using a set of temporary files stored on the Web server, PHP keeps track of the variables that have been registered in each session and their values.
Before you can go ahead and use the spiffy session-management features in PHP, you need to ensure that the relevant section of your php.ini file has been set up properly. If you're using a server belonging to your Web host, it's probably safe to assume this has been done for you. Otherwise, open your php.ini file in a text editor and look for the section marked [Session]. Beneath it, you'll find twenty-some options beginning with the word session. Most of them are just fine if left as-is, but here are a few crucial ones you'll want to check:
session.save_handler = files
session.save_path = "C:\WINDOWS\TEMP"
session.use_cookies = 1
session.save_path tells PHP where to create the temporary files used to track sessions. It must be set to a directory that exists on the system, or you'll get ugly error messages when you try to create a session on one of your pages. Under Unix, /tmp is a popular choice. In Windows, you could use C:\WINDOWS\TEMP, or some other directory if you prefer (I use D:\PHP\SESSIONS). With these adjustments made, restart your Web server software to allow changes to take effect.
You're now ready to start working with PHP sessions. Before jumping into the access control script, let's quickly look at the most common session management functions in PHP. To tell PHP to look for a session ID, or to start a new session if none is found, you simply call session_start. If an existing session ID is found when this function is called, PHP restores the variables belonging to the session.
session_start();
To tell PHP that you want a particular variable to be stored in the current session so that it is available to other scripts run in the same session, simply set a variable in the $_SESSION array. For example, the following will store the variable called $_SESSION['pwd'] in the current session:
$_SESSION['pwd'] = value;
To remove a variable from the current session, you just use PHP's unset function:
unset($_SESSION['pwd']);
Finally, should you want to end the current session, deleting all registered variables in the process, you can empty the $_SESSION array and then use session_destroy:
$_SESSION = array();
session_destroy();
For more detailed information on these and the other session-management functions in PHP, see the relevant section of the PHP Manual: Session handling functions.