422 Chapter 20 Using Session Control in PHP The example consists of three simple scripts.The first, authmain.php,provides a login form and authentication for members of our Web site.The second, members_only.php, displays information only to members who have logged in successfully.The third, logout.php,logs out a member. To understand how this works, look at Figure 20.4.This is the initial page displayed by authmain.php. Figure 20.4 Because the user has not yet logged in, show her a login page. This page gives the user a place to log in. If she attempts to access the Members section without logging in first, she will get the message shown in Figure 20.5. Figure 20.5 Users who haven’t logged in can’t see the site content; they will be shown this message instead. 25 525x ch20 1/24/03 2:57 PM Page 422 423 Implementing Authentication with Session Control However, if the user logs in first (with username: testuser and password: test123 as set up in Chapter 14) and then attempts to see the Members page, she will get the output shown in Figure 20.6. Figure 20.6 After the user has logged in, she can access the Members’ areas. Let’s look at the code for this application. Most of the code is in authmain.php.This script can be seen in Listing 20.4.We will go through it bit by bit. Listing 20.4 authmain.php—The Main Part of the Authentication Application <?php session_start(); if (isset($HTTP_POST_VARS['userid']) && isset($HTTP_POST_VARS['password'])) { // if the user has just tried to log in $userid = $HTTP_POST_VARS['userid']; $password = $HTTP_POST_VARS['password']; $db_conn = mysql_connect('localhost', 'webauth', 'webauth'); mysql_select_db('auth', $db_conn); $query = 'select * from auth ' ."where name='$userid' " ." and pass=password('$password')"; $result = mysql_query($query, $db_conn); if (mysql_num_rows($result) >0 ) { // if they are in the database register the user id $HTTP_SESSION_VARS['valid_user'] = $userid; 25 525x ch20 1/24/03 2:57 PM Page 423 424 Chapter 20 Using Session Control in PHP } } ?> <html> <body> <h1>Home page</h1> <? if (isset($HTTP_SESSION_VARS['valid_user'])) { echo 'You are logged in as: '.$HTTP_SESSION_VARS['valid_user'].' <br />'; echo '<a href="logout.php">Log out</a><br />'; } else { if (isset($userid)) { // if they've tried and failed to log in echo 'Could not log you in'; } else { // they have not tried to log in yet or have logged out echo 'You are not logged in.<br />'; } // provide form to log in echo '<form method="post" action="authmain.php">'; echo '<table>'; echo '<tr><td>Userid:</td>'; echo '<td><input type="text" name="userid"></td></tr>'; echo '<tr><td>Password:</td>'; echo '<td><input type="password" name="password"></td></tr>'; echo '<tr><td colspan="2" align="center">'; echo '<input type="submit" value="Log in"></td></tr>'; echo '</table></form>'; } ?> <br> <a href="members_only.php">Members section</a> </body> </html> Some reasonably complicated logic is in this script because it displays the login form, is also the action of the form and contains HTML for a successful and failed login attempt. The script’s activities revolve around the valid_user session variable.The basic idea is Listing 20.4 Continued 25 525x ch20 1/24/03 2:57 PM Page 424 425 Implementing Authentication with Session Control that if someone logs in successfully, we will register a session variable called $HTTP_SES- SION_VARS['valid_user'] that contains her userid. The first thing we do in the script is call session_start().This will load in the ses- sion variable valid_user if it has been registered. In the first pass through the script, none of the if conditions will apply and the user will fall through to the end of the script, where we tell her that she is not logged in and provide her with a form to do so: echo '<form method="post" action="authmain.php">'; echo '<table>'; echo '<tr><td>Userid:</td>'; echo '<td><input type="text" name="userid"></td></tr>'; echo '<tr><td>Password:</td>'; echo '<td><input type="password" name="password"></td></tr>'; echo '<tr><td colspan="2" align="center">'; echo '<input type="submit" value="Log in"></td></tr>'; echo '</table></form>'; When she presses the submit button on the form, this script is reinvoked and we start again from the top.This time, we will have a userid and password to authenticate, stored as $HTTP_POST_VARS['userid'] and $HTTP_POST_VARS['password']. If these variables are set, we go into the authentication block: if (isset($HTTP_POST_VARS['userid']) && isset($HTTP_POST_VARS['password'])) { // if the user has just tried to log in $userid = $HTTP_POST_VARS['userid']; $password = $HTTP_POST_VARS['password']; $db_conn = mysql_connect('localhost', 'webauth', 'webauth'); mysql_select_db('auth', $db_conn); $query = 'select * from auth ' ."where name='$userid' " ." and pass=password('$password')"; $result = mysql_query($query, $db_conn); We connect to a MySQL database and check the userid and password. If these are a matching pair in the database, we create the variable $HTTP_SESSION_VARS['valid_user'] that contains the userid for this particular user, so we know who is logged in further down the track. if (mysql_num_rows($result) >0 ) { // if they are in the database register the user id $HTTP_SESSION_VARS['valid_user'] = $userid; } } 25 525x ch20 1/24/03 2:57 PM Page 425 426 Chapter 20 Using Session Control in PHP Because we now know who she is, we don’t need to show her the login form again. Instead, we’ll tell her we know who she is, and give her the option to log out: if (isset($HTTP_SESSION_VARS['valid_user'])) { echo 'You are logged in as: '.$HTTP_SESSION_VARS['valid_user'].' <br />'; echo '<a href="logout.php">Log out</a><br />'; } If we tried to log her in and failed for some reason, we’ll have a userid but not an $HTTP_SESSION_VARS['valid_user'] variable, so we can give her an error message: if (isset($userid)) { // if they've tried and failed to log in echo 'Could not log you in'; } That’s it for the main script. Now, let’s look at the Members page.The code for this script is shown in Listing 20.5. Listing 20.5 members_only.php—The Code for the Members’ Section of Our Web Site Checks for Valid Users <?php session_start(); echo '<h1>Members only</h1>'; // check session variable if (isset($HTTP_SESSION_VARS['valid_user'])) { echo '<p>You are logged in as '.$HTTP_SESSION_VARS['valid_user'].'</p>'; echo '<p>Members only content goes here</p>'; } else { echo '<p>You are not logged in.</p>'; echo '<p>Only logged in members may see this page.</p>'; } echo '<a href="authmain.php">Back to main page</a>'; ?> This code is very simple. All it does is start a session, and check if the current session contains a registered user by checking if the value of $HTTP_SESSION_VARS 25 525x ch20 1/24/03 2:57 PM Page 426 . Session Control in PHP The example consists of three simple scripts.The first, authmain .php, provides a login form and authentication for members of our Web site.The second, members_only .php, displays. name='$userid' " ." and pass=password('$password')"; $result = mysql_ query($query, $db_conn); We connect to a MySQL database and check the userid and password. If these are. $HTTP_POST_VARS['userid']; $password = $HTTP_POST_VARS['password']; $db_conn = mysql_ connect('localhost', 'webauth', 'webauth'); mysql_ select_db('auth', $db_conn); $query = 'select