PHP Login Script with Remember Me Feature

Posted on January 25, 2004

in Code

by JP (jpmaster77)

Rated 4.5 (Ratings: 32) (Add your rating)

Want more?

More articles in Code
More articles by jpmaster77

JP

Member info | Full bio

User since: January 10, 2004

Last login: May 21, 2007

Articles written: 2

Introduction

I just started programming with PHP and MySQL this week and the first script I wanted to write was a login script. I wanted to include the popular "Remember Me" feature seen on a lot of websites that basically keeps users logged into the website, even after they've closed the browser so that the next time they come, they won't have to login again manually.

I found this tutorial Creating a PHP Login Script to be very helpful in writing this script, in fact, a lot of the code presented here is very similar to the code presented in that tutorial. The differences are seen with the new "Remember Me" feature, the use of cookies in addition to sessions, and with slight modifications in the design.

Goals

The ultimate goal is to create a PHP login script with the capability of remembering logged-in users. I also hope this tutorial will serve as a way to introduce people to user sessions and cookies in PHP.

Notes

Although this tutorial uses a MySQL database for storing user information, it has been written so that the data accessing code is separated from the main code through specific functions, so it would be easy to instead use a flat file "database" system, simply by changing the code in those specific functions, without messing with the rest. This tutorial uses the latest and greatest of PHP 4, which means super globals are used, such as $_POST, $_SESSION, etc.. This tutorial will aim to teach you about sessions and cookies through example, however if you need to know more information, go to the official website .

Database

For those of you planning on using a flat file system, you can skip this section. For the rest of us, we want to create a MySQL database table that holds user information, here it is:

CREATE TABLE users (
    username varchar(30),
    password varchar(32));

Of course this table can be modified according to your needs, however the password field must not be less than 32 because it has to store the md5 encrypted versions of passwords which are 32 bytes.

database.php

This file will contain the code that connects you to your MySQL database and the functions that access user information, you need to modify this to show your MySQL username, password and database.

<?

/**
 * Connect to the mysql database.
 */
$conn = mysql_connect("localhost", "your_username", "your_password") or die(mysql_error());
mysql_select_db('your_database', $conn) or die(mysql_error());

?>

Allow Users to Sign-Up

Before we can login users, we need users. Here we will focus on the code that allows users to sign-up, registering their username and password.

register.php

<?
session_start(); 
include("database.php");

/**
 * Returns true if the username has been taken
 * by another user, false otherwise.
 */
function usernameTaken($username){
   global $conn;
   if(!get_magic_quotes_gpc()){
      $username = addslashes($username);
   }
   $q = "select username from users where username = '$username'";
   $result = mysql_query($q,$conn);
   return (mysql_numrows($result) > 0);
}

/**
 * Inserts the given (username, password) pair
 * into the database. Returns true on success,
 * false otherwise.
 */
function addNewUser($username, $password){
   global $conn;
   $q = "INSERT INTO users VALUES ('$username', '$password')";
   return mysql_query($q,$conn);
}

/**
 * Displays the appropriate message to the user
 * after the registration attempt. It displays a 
 * success or failure status depending on a
 * session variable set during registration.
 */
function displayStatus(){
   $uname = $_SESSION['reguname'];
   if($_SESSION['regresult']){
?>

<h1>Registered!</h1>
<p>Thank you <b><? echo $uname; ?></b>, your information has been added to the database, you may now <a href="main.php" title="Login">log in</a>.</p>

<?
   }
   else{
?>

<h1>Registration Failed</h1>
<p>We're sorry, but an error has occurred and your registration for the username <b><? echo $uname; ?></b>, could not be completed.<br>
Please try again at a later time.</p>

<?
   }
   unset($_SESSION['reguname']);
   unset($_SESSION['registered']);
   unset($_SESSION['regresult']);
}

if(isset($_SESSION['registered'])){
/**
 * This is the page that will be displayed after the
 * registration has been attempted.
 */
?>

<html>
<title>Registration Page</title>
<body>

<? displayStatus(); ?>

</body>
</html>

<?
   return;
}

/**
 * Determines whether or not to show to sign-up form
 * based on whether the form has been submitted, if it
 * has, check the database for consistency and create
 * the new account.
 */
if(isset($_POST['subjoin'])){
   /* Make sure all fields were entered */
   if(!$_POST['user'] || !$_POST['pass']){
      die('You didn\'t fill in a required field.');
   }

   /* Spruce up username, check length */
   $_POST['user'] = trim($_POST['user']);
   if(strlen($_POST['user']) > 30){
      die("Sorry, the username is longer than 30 characters, please shorten it.");
   }

   /* Check if username is already in use */
   if(usernameTaken($_POST['user'])){
      $use = $_POST['user'];
      die("Sorry, the username: <strong>$use</strong> is already taken, please pick another one.");
   }

   /* Add the new account to the database */
   $md5pass = md5($_POST['pass']);
   $_SESSION['reguname'] = $_POST['user'];
   $_SESSION['regresult'] = addNewUser($_POST['user'], $md5pass);
   $_SESSION['registered'] = true;
   echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";
   return;
}
else{
/**
 * This is the page with the sign-up form, the names
 * of the input fields are important and should not
 * be changed.
 */
?>

<html>
<title>Registration Page</title>
<body>
<h1>Register</h1>
<form action="<? echo $HTTP_SERVER_VARS['PHP_SELF']; ?>" method="post">
<table align="left" border="0" cellspacing="0" cellpadding="3">
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr>
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr>
<tr><td colspan="2" align="right"><input type="submit" name="subjoin" value="Join!"></td></tr>
</table>
</form>
</body>
</html>


<?
}
?>

Read through the code and see what it's doing, there are comments there to help you. It was written with you in mind, I tried to make it so people could just paste their website specific html code in between the php code with ease. Don't be scared when you see the use of session variables right away, they are used to tell the script key information like the requested username, registration attempt and registration success. With this information the script knows what to display, and when the registration is done, it "forgets" the information (by unsetting the variables).

Note

You'll notice that the script immediately refreshes itself after the registration request, this is done to eliminate the case where users, for any reason, hit the Refresh button on their browser and cause a pop-up window that says the page has expired and prompts the user to send the registration request again. This technique is also used in the login script, so watch out for it.

Allow Users to Log-In

Now the fun begins, now that we have users, we can log them in. This is the heart of this tutorial, it will create the login script with the "Remember me" feature that we all want, and it accomplishes this by using cookies.

login.php

<?

/**
 * Checks whether or not the given username is in the
 * database, if so it checks if the given password is
 * the same password in the database for that user.
 * If the user doesn't exist or if the passwords don't
 * match up, it returns an error code (1 or 2). 
 * On success it returns 0.
 */
function confirmUser($username, $password){
   global $conn;
   /* Add slashes if necessary (for query) */
   if(!get_magic_quotes_gpc()) {
	$username = addslashes($username);
   }

   /* Verify that user is in database */
   $q = "select password from users where username = '$username'";
   $result = mysql_query($q,$conn);
   if(!$result || (mysql_numrows($result) < 1)){
      return 1; //Indicates username failure
   }

   /* Retrieve password from result, strip slashes */
   $dbarray = mysql_fetch_array($result);
   $dbarray['password']  = stripslashes($dbarray['password']);
   $password = stripslashes($password);

   /* Validate that password is correct */
   if($password == $dbarray['password']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}

/**
 * checkLogin - Checks if the user has already previously
 * logged in, and a session with the user has already been
 * established. Also checks to see if user has been remembered.
 * If so, the database is queried to make sure of the user's 
 * authenticity. Returns true if the user has logged in.
 */
function checkLogin(){
   /* Check if user has been remembered */
   if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
      $_SESSION['username'] = $_COOKIE['cookname'];
      $_SESSION['password'] = $_COOKIE['cookpass'];
   }

   /* Username and password have been set */
   if(isset($_SESSION['username']) && isset($_SESSION['password'])){
      /* Confirm that username and password are valid */
      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
         /* Variables are incorrect, user not logged in */
         unset($_SESSION['username']);
         unset($_SESSION['password']);
         return false;
      }
      return true;
   }
   /* User not logged in */
   else{
      return false;
   }
}

/**
 * Determines whether or not to display the login
 * form or to show the user that he is logged in
 * based on if the session variables are set.
 */
function displayLogin(){
   global $logged_in;
   if($logged_in){
      echo "<h1>Logged In!</h1>";
      echo "Welcome <b>$_SESSION[username]</b>, you are logged in. <a href=\"logout.php\">Logout</a>";
   }
   else{
?>

<h1>Login</h1>
<form action="" method="post">
<table align="left" border="0" cellspacing="0" cellpadding="3">
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr>
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr>
<tr><td colspan="2" align="left"><input type="checkbox" name="remember">
<font size="2">Remember me next time</td></tr>
<tr><td colspan="2" align="right"><input type="submit" name="sublogin" value="Login"></td></tr>
<tr><td colspan="2" align="left"><a href="register.php">Join</a></td></tr>
</table>
</form>

<?
   }
}


/**
 * Checks to see if the user has submitted his
 * username and password through the login form,
 * if so, checks authenticity in database and
 * creates session.
 */
if(isset($_POST['sublogin'])){
   /* Check that all fields were typed in */
   if(!$_POST['user'] || !$_POST['pass']){
      die('You didn\'t fill in a required field.');
   }
   /* Spruce up username, check length */
   $_POST['user'] = trim($_POST['user']);
   if(strlen($_POST['user']) > 30){
      die("Sorry, the username is longer than 30 characters, please shorten it.");
   }

   /* Checks that username is in database and password is correct */
   $md5pass = md5($_POST['pass']);
   $result = confirmUser($_POST['user'], $md5pass);

   /* Check error codes */
   if($result == 1){
      die('That username doesn\'t exist in our database.');
   }
   else if($result == 2){
      die('Incorrect password, please try again.');
   }

   /* Username and password correct, register session variables */
   $_POST['user'] = stripslashes($_POST['user']);
   $_SESSION['username'] = $_POST['user'];
   $_SESSION['password'] = $md5pass;

   /**
    * This is the cool part: the user has requested that we remember that
    * he's logged in, so we set two cookies. One to hold his username,
    * and one to hold his md5 encrypted password. We set them both to
    * expire in 100 days. Now, next time he comes to our site, we will
    * log him in automatically.
    */
   if(isset($_POST['remember'])){
      setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
      setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");
   }

   /* Quick self-redirect to avoid resending data on refresh */
   echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";
   return;
}

/* Sets the value of the logged_in variable, which can be used in your code */
$logged_in = checkLogin();

?>

This one's a little bit tricky because of the function calling. Let me just clarify what this script does.

It first checks to see if the login form has just been filled out and submitted, if not it checks to see if a session has already been established where the username and password are already known. This is true in two cases, when the user has chosen to be remembered and a session is established automatically, or when the user has not chosen to be remembered but has already logged in and is still using the same browser window that he used to log in.

If either of these two cases is true, then it verifies that the username is in the database and that the password is valid, if these two checks pass then the almighty $logged_in variable is set to true, false otherwise. If the user has just filled out the login form and submitted it, the script detects this and then verifies the authenticity of the username and password, if all is well then session variables are set with the username and md5 encrypted password.

Great, but when does the login form get displayed? That's all up to you. It's up to you the programmer to display the login form when the $logged_in variable is false. But wait! I have added a function that you can call that relieves you of this horrible burden. The displayLogin() function is there to check if the $logged_in variable is true or not and displays information accordingly. How to use this function is described in the Usage section.

Note

login.php is not meant to be a stand-alone file like register.php, it is meant to be included at the top of every file that needs to use it, so it doesn't contain the call to "session_start()", that should be at the top of the file that wants to include login.php, as you will see in the examples below.

Remember Me Feature

So, how was this accomplished again? As is described in login.php, when a user chooses to be remembered, two cookies are set on the user's computer. Well, really one cookie, but one that contains two important pieces of information: the username and the md5 encrypted password. What is a cookie anyways? It is a temporary file that is stored on the user's computer on behalf of the website in order to hold information that is important to the website. How long does this temporary file last? As long as we say so. As written, the expiry time is 100 days, after which the cookie will be deleted. However, it also gets deleted when the user decides to log out, as you will soon see.

Allow Users to Log-Out

If users want to log-out, we should let them. All we need to do is delete the cookies we've set if they chose to be remembered, and simply unset the session variables. Done.

logout.php

<?
session_start(); 
include("database.php");
include("login.php");

/**
 * Delete cookies - the time must be in the past,
 * so just negate what you added when creating the
 * cookie.
 */
if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
   setcookie("cookname", "", time()-60*60*24*100, "/");
   setcookie("cookpass", "", time()-60*60*24*100, "/");
}

?>

<html>
<title>Logging Out</title>
<body>

<?

if(!$logged_in){
   echo "<h1>Error!</h1>\n";
   echo "You are not currently logged in, logout failed. Back to <a href=\"main.php\">main</a>";
}
else{
   /* Kill session variables */
   unset($_SESSION['username']);
   unset($_SESSION['password']);
   $_SESSION = array(); // reset session array
   session_destroy();   // destroy session.

   echo "<h1>Logged Out</h1>\n";
   echo "You have successfully <b>logged out</b>. Back to <a href=\"main.php\">main</a>";
}

?>

</body>
</html>

You're probably wondering why login.php was included in logout.php, seems a little weird right? Well, if the user is not logged in how can we log them out? We use login.php to verify that the user really is logged in with the help of the variable $logged_in which gets set when login.php is run.

Flat File Database

If you don't have MySQL, don't worry, you can still use this script! All you would have to do is change the following functions to include your flat file user management code, but remember to keep the operations and return values consistent with the documentation.

In register.php - change usernameTaken() and addNewUser()
In login.php - change confirmUser() and checkLogin()

Usage

Now that everything has been coded, all that's left is for you to know how to actually use this beast.

database.php - make sure you put your own MySQL information into it
register.php and logout.php - no changes needed, however you could change the html to reflect that of your website
login.php - In order to use it within a file you must call "session_start()" before the line where you include login.php.

I've mentioned the function "displayLogin()" found within login.php. If you call it within one of your files, it will display the login form if no user is logged in, if a user is logged in, it displays a message reflecting such. The point of this is so that you won't have to include that code in all of your files, all you have to do is just call the function:

Example: main.php

<? 
/* Include Files *********************/
session_start(); 
include("database.php");
include("login.php");
/*************************************/
?>

<html>
<title>Jpmaster77's Login Script</title>
<body>

<? displayLogin(); ?>

</body>
</html>

You should also know that login.php sets a boolean variable called $logged_in, which is true when a user is logged in, and false when no user is logged in. You can use this variable in your files for whatever you'd like.

Example: main2.php

<? 
/* Include Files *********************/
session_start(); 
include("database.php");
include("login.php");
/*************************************/
?>

<html>
<title>Jpmaster77's Login Script</title>
<body>

<? 
if($logged_in){
   echo 'Logged in as '.$_SESSION['username'].', <a href="logout.php">logout</a>';
}else{
   echo 'Not logged in.';
}
?>

</body>
</html>

Improvements

What can make this script even better? Well, you can add a check to enforce that usernames are strictly alphanumeric, without any wacky characters. At registration, you probably want more info from the user (email, homepage, location,..), but this script is about user logins, so we only focused on the username and password.

Also the error pages are not very cool, for example, when someone doesn't enter a field thats required from the form, instead of just stopping and printing an error message, you can redirect him to the form again, but have specified which field was left blank (in red lettering possibly). There's more that I'm sure you'll think of.

Conclusion

I hope you were able to learn something from my script, and if you choose to use my script on your site, I hope you enjoy it. Good luck programming!

631 comments on this article. Log in to add your comment |

Some improvements

Submitted by Martin Tsachev on January 27, 2004 - 12:24.

Nice one, it's a good idea although to declare the username column in your database as a primary key, it will speed up username lookups a lot.

From a security point of view it would be better to not set the password cookie to the md5 of the password, better add a cookie field in the database and prefill this with a random value. Cookies fly over the wire on every request for the site, even for images and are easy to intercept, with most people using a weak password dictionary attack may quickly reveal the password (probably used on other sites too).

Thanks shaggy

Submitted by jpmaster77 on January 28, 2004 - 00:35.

I'm still happy about getting this tutorial approved, I spent a lot of time on it.

Anyways, thanks shaggy for being the first to comment. I'm glad you mentioned the primary key thing with the username. As I mentioned in the article, I'm new to MySQL programming, so I didn't even know the advantages of naming a database column as a primary key, but now that you mention it, speed is definitely an advantage. Users should go for it.

As far as the security issue, I don't think it's an issue for small websites like the ones that mostly use these php scripts. Well, I can't speak for everyone, but in my case where I would use this script for a simple fan site with message boards and stuff, no personal contact information or credit card info stored, saving the md5 password as a cookie is just fine. But again, that's just me.

I worked hard on writing the tutorial, I tried to be as clear as possible, if you have any questions just ask. Enjoy!

Security

Submitted by gray_eminence on January 28, 2004 - 12:55.

Nice article

I think you shouldn't overlook security too quickly. I'd say that even if very little info is stored, that can change over the lifespan of your website. The other thing to consider is that if it's easy to steal someone's identity it can reap havoc for the victim in message boards, etc. I've known people to have their hotmail accounts hijacked and have to work hard to get friends to trust them again. Last, but not least, so many people use the same passwords over and over again. By giving them no protection (when even a little protection is easy to provide) it's easy for a password to be comprimised and used somewhere else where the password might be more valuable. I'm not saying you have to go nuts though.

Contact

Submitted by classic on February 12, 2004 - 15:33.

Please e-mail me, I have a few questions for you about your script.

Re: Contact

Submitted by Martin Tsachev on February 13, 2004 - 03:26.

Why don't you share your questions with others, they may benefit the answers too?

Random value for Cookie

Submitted by old_n_ugly on February 15, 2004 - 10:57.

Re: Shaggy's comment. Not certain I understand your reasoning. The purpose of the cookie is to authenticate the user when returning. Why the the random value instead of the md5(password)? You still need to authentitcate on that value against the database value, just like a user-defined password. Are you saying it's harder to decrypt the random value than a user-defined password? (your weak dictionary reference? Sorry, never got into the Unix side of the world...)

Random value or password?

Submitted by Martin Tsachev on February 15, 2004 - 12:09.

With http it's important to pass the password in cleartext or encrypted form/hash as little as possible. If I was an attacker and I intercepted your password I could use it to login to other sites where you used the same password. On the other hand if I intercepted the random value that's in the database and the cookie I would only be able to login to that site, can't do anything else with a random value ;-)

password recovery

Submitted by magsec4 on February 16, 2004 - 16:07.

i know this is meant to be a 'simple script', but do you maybe know how to make a simple password recovery system too or something? just a thought.

Registration Page

Submitted by sherlock on February 16, 2004 - 17:22.

Hey JP, I love this script. You have done a great job on it. If I wanted to add more fields to the user registration page such as email address or country what changes would I have to make. I know I have to add more fields to the mysql database table but I can't seem to figure out how to add them onto the registration page. Thanks (**)

Forgotten password

Submitted by Martin Tsachev on February 17, 2004 - 01:48.

As the script uses md5 which is not easily reversible it would be best to generate a new password for users or mail them a link that allows them to change their password without logging in.

forgotten password

Submitted by magsec4 on February 17, 2004 - 15:49.

ah, yes now i see that md5 really isn't that easily reversable (believe me, i tried :P ). anywayz how would i add like an email field to the registration field anywayz (as asked above)? can't recover a password without an email :) . but if you could also post how to make a new password-generation script i'd appreciate that too. also, is md5 encryption really necessary if its just like a login for a webpage? do all websites use md5 encryption as a "standard feature"?

Reversing md5

Submitted by Martin Tsachev on February 18, 2004 - 01:31.

Magsec I've tried reversing a few md5's and believe me using a big dictionary it usually takes seconds to do it. There aren't many people that use strong password, I know that for sure.

nvm

Submitted by magsec4 on February 18, 2004 - 15:24.

ok nevermind, i added my own email field, saves info in a new column named email (duh), and i added a new column named 'ip' where it saves the ip the user registered from :) . and now i'm going to (attempt) to make myself a password recovery script.

Can I see?

Submitted by sherlock on February 18, 2004 - 15:59.

mmmm, can I see the script where you added the email field?

Add new field

Submitted by jpmaster77 on February 18, 2004 - 17:40.

Hey sherlock,
Sorry I didn't respond earlier. If you want to add new fields to the registration form you need to make changes to register.php. At the very bottom of register.php you can see the html code for the user registration form; currently it has just the username and password text fields. They appear in the following format:

&lt;tr&gt;...Username: ....&lt;/tr&gt;<br>

&lt;tr&gt;...Password: ....&lt;/tr&gt;

In order to add a new field, just copy and paste one of the "tr" blocks and just change the name of it. For example, to add an email field:

<tr><td>Email:</td><td><input type="text" name="email" maxlength="50"></td></tr>

In the example above I put: name="email" in the input tag, so now all I have to do to access this field in my php code is to just use the following variable: $_POST['email']

Example:

if(!$_POST['email']){
      die('You didn\'t fill in the email field, silly');
}

I hope this was helpful in what you wanted to do. Let me know if you have any more questions or comments.

Not supporting cookies!

Submitted by CoolFox31 on February 18, 2004 - 19:14.

What happns if the person doesn't support cookies?

Cookie monster

Submitted by jpmaster77 on February 18, 2004 - 20:32.

Then all hell breaks loose. But lucky for us, most people (and browsers) allow cookies. Most login forms use cookies and most users will turn on cookies to be able to take advantage of this feature, if they really want it.

Note: If cookies are disabled, people can still login to the site with this script and the script will know the user is logged in for the whole time the user visits the site (within the same browser window). However, if the user had checked "remember me", then closed the window, then returned to the site later, that's when the feature would fail. The point is, the script would still be functional, it just wouldn't have the remembering feature.

The bottom line is if the person doesn't support cookies then the site won't remember him when he comes back at a later time.

Thanks!

Submitted by sherlock on February 19, 2004 - 16:51.

That's great. I'll give it a try. Thanks! (**)

Password Generator

Submitted by old_n_ugly on February 20, 2004 - 19:18.

Someone asked about a password generator. Here's the one I use. Its not my creation, but I can't recall where I picked it up, or I'd give credit...

/* generate a new password & return the new password, or false on failure */
/*  $digits = amount of chars the password should have (between 4 and 29) */
/*  $c = if true, I,i,L,l will be changed to 1 and O or o will be changed to 0 (Zero) to prevent mistakes by an userinput */
/*  $st = string to "U" = upper, "L" = lower, NULL=casesensitive */
function generate_password($digits,$c,$st)
{
  if(!ereg("^([4-9]|((1|2){1}[0-9]{1}))$",$digits)) // 4-29 chars allowed
     $digits=8;
  for(;;)
  {
     $pwd=null; $o=null;
     // Generates the password ....
     for ($x=0;$x350 && $y  
  login or register to post comments

login display

Submitted by Maller on February 21, 2004 - 08:30.

I read your article, and tried the script out, and it seems to work fine, now im not a php gury or anything, and you will probly notice in my question. But the problem i have, is when you login it displays the custom message, you are now logged in as "user" Am i able to include my own html instead of the custom login message ? i tried to change it, but it dosent really work. I hope you can help me out, and understand my question, Thanks.

Changing Login Display

Submitted by jpmaster77 on February 21, 2004 - 17:44.

Yes, I tried to make it easy for people to change the html code in the script to reflect that of their own website. If you want to change the login form or the display when the user is logged in, you need to change the displayLogin() function in login.php.

Sample layout of displayLogin():

function displayLogin(){
   global $logged_in;
   if($logged_in){
?>
    /*... YOUR LOGIN DISPLAY HTML CODE ...*/

    /*... YOUR LOGIN FORM HTML CODE ...*/

This is a new login confirmation display
You are logged in , have fun. Logout

    /*... SAME AS IN LOGIN.PHP ...*/  
  login or register to post comments

Session Error

Submitted by KMac on February 22, 2004 - 07:56.

Very good tutorial JP!

I just installed MySQL and PHP4 on my apache server. As you can no doubt tell from my questions I am new to MySQL and PHP. I'm new to programming in general. I was hoping you could help clear up a few things or lead me in right direction.

I get the error below:

("myfirsttestwebsite.com" edited for this post)

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/www/myfirsttestwebsite.com/register.php:3) in /home/www/myfirsttestwebsite.com/register.php on line 12

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/www/myfirsttestwebsite.com/register.php:3) in /home/www/myfirsttestwebsite.com/register.php on line 12

Is this just a case of editing the php.ini file?

Thanks in advance.
-Kmac

Setting sessions

Submitted by Martin Tsachev on February 22, 2004 - 09:09.

KMac make sure you don't print anything before calling session_register(), even whitespace. Start your files with <?php.

Session Error - Resolved

Submitted by KMac on February 22, 2004 - 10:09.

shaggy it worked! Thank you very much.

Email

Submitted by Maller on February 22, 2004 - 12:17.

Thanks for the quick reply jpmaster77, it worked like a charm. I played around with the script, and added email to the form, and database, now my question is, is it possible to send a email to members with there username and password ? i added the folling 3 lines to register.php:

<tr><td>Email:</td><td></td></tr>

$email = $_POST['email'];

$_SESSION['regresult'] = addNewUser($_POST['user'], $md5pass, $email);

Emailing new members

Submitted by jpmaster77 on February 22, 2004 - 21:10.

Maller, yes you can send an email to newly registered users with their username and password information if that's what you want to do, although shaggy might raise a security issue :). You need to have sendmail installed on the website's server and to actually send the email, you can use the mail() function. Look at the documentation for it at php.net.

I have only tried once to send email using the mail() function and I wasn't successful, probably because sendmail wasn't installed or for some other reason. So I am no expert at sending emails with php, but I'm sure you can find info about it on the internet.

Still confused...

Submitted by alotufo on February 23, 2004 - 00:02.

Ok I am very new to PHP and MySQL... I will admit that... I have figured out the MySQL part of it, but now what I want to be able to do it put a sort of a 'wrapper' around any HTML file that says if the user is not logged in, to go ahead and login. If they are logged in, proceed to display the HTML as necessary. What do I need to put in front of my HTML code to check and see if someone is logged in? I want to protect any HTML pages within a specific folder from being viewed by anyone who is not authenticated by the SQL query. Many thanks for a very good script.

How about checking for cookies usage first?

Submitted by RogerB on February 23, 2004 - 11:16.

A nice addition to this script would be checking to see if the user/browser accepts cookies and then displaying the "Remember Me' only if cookies can be used. FWIW I agree with Shaggy on using the random value instead of the MD5 value. Even on seemingly unimportant sites that I setup, I would sleep better knowing that there is no direct access to the password (encoded or not). The change to do this is trivial too. Thanks for posting this script.

Wrapper

Submitted by jpmaster77 on February 23, 2004 - 13:20.

alotufo, this script lets you easily accomplish what you want to do. When login.php is run, the $logged_in variable gets set, to true if the user is logged in, false otherwise. So all you have to do is check the value of this variable and decide which html code to display to the user.

Example: protected_page.php



/* YOUR "NOT LOGGED IN" HTML CODE */
/* you could put this in a file and just make a call to insert it here */



/* YOUR PROTECTED HTML CODE */
/* different for each page that's protected */

The wrapper could be this or some variation of it, but it would be something that includes "login.php" and checks the $logged_in variable. Let me know if this was helpful.

Wrapper working

Submitted by alotufo on February 23, 2004 - 23:59.

Thanks jpmaster77. Your tips were very helpful. I am able to place my HTML code around the PHP code and it is working fine. Thanks for your help.

what is wrong?

Submitted by Geforcy on February 24, 2004 - 02:26.

I get this error when i try to register, all the database settings are correct and I have checked everything. The only thing I could think about it can be a webhosting problem? Registration Failed We're sorry, but an error has occurred and your registration for the username Geforcy, could not be completed. Please try again at a later time.

MySQL problem

Submitted by jpmaster77 on February 24, 2004 - 09:12.

Geforcy, the only way for that message to appear is when the mysql query to enter the new username and password into the database fails. This could mean a couple different things, but it is a mysql related problem (assuming you didn't change the script, did you?). Most likely one of the fields you needed to enter in database.php is incorrect, maybe the database name? Double-check on that. If that's not the problem, then my guess is it has something to do with your webhosting. Have you tried using mysql before on that webhost? You should probably make a couple test scripts that just test that mysql is working; that you can add new entries into a table. If you can get that working and still have a problem with this script, post again.

This is the Problem I have

Submitted by HannesRulez on February 24, 2004 - 10:57.

I'm new to all of this. I rather like programming! So this is the error I see. I managed to press Stop on my IE before the Error Echo changed! Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in /home/www/htdocs/fxp-power.de/login/register.php on line 16 Im 100% shure that the MySQL stuff is right! And i have managed to run MySQl before... whole Board! so....

MySQL query returning false

Submitted by jpmaster77 on February 24, 2004 - 13:57.

Hannes, the problem is the mysql query is returning FALSE and not a resource identifier. This is the query that is being made:
"select username from users where username = '$username'"

The only ways for this query to return false are if username is not a valid column in the table users, the table users does not exist, or you don't have permissions to access the table users.

My guess is you might have not created the table correctly, maybe naming it Users instead of users. Make sure you create the table exactly as specified:

CREATE TABLE users (<br>

    username varchar(30),<br>

    password varchar(32));<br>

If none of these things is the problem in your case, then I'm out of ideas because I too am new to MySQL and I don't have direct access to your webserver/code to play around with what might be wrong. Let me know if you find a solution.

last question

Submitted by HannesRulez on February 24, 2004 - 14:36.

your right! I didn't call is users but I take it you must name it. .sql?? oder .php? thx again!

sry

Submitted by HannesRulez on February 24, 2004 - 14:38.

I think I have missed the point! Where and how do you create the users table?? Sry, but I am really new to this!

Create Table

Submitted by KMac on February 24, 2004 - 18:52.

HannesRulez,

Here's how I did it.

mysql> create database test

mysql> use test

CREATE TABLE users (

username varchar(30),

password varchar(32));

Kmac

Same error

Submitted by CoolFox31 on February 24, 2004 - 19:10.

Hey jpmaster77, I keep getting the same error message when I login. It keeps saying username is not in the database. I when into PHPMyAdmin and see for myself that the username is in the database. But I kept on getting they same error message. Username isn't in the database. I checked and made sure that the connection to the MySQL was working right and it was... I wrote my on register script and I liked your Remember Me feature and I am having a little bit of a problem with that damn message "username isn't in the database". If you have any ideas of why it's not working please tell me!

MySql Admin

Submitted by KMac on February 24, 2004 - 19:25.

CoolFox31-I hope this helps. The "username" and "passwords" are in the MySQL database in the users TABLE. Not PHPMyAdmin.

MYSQL Admin

Submitted by KMac on February 24, 2004 - 19:32.

CoolFox31, What if you do a select * from users; with MySQLAdmin? Does that show you what is in the users TABLE? -KMac

Yes KMac

Submitted by jpmaster77 on February 24, 2004 - 19:45.

CoolFox31, my thoughts are that you have the same problem that HannesRulez had, you didn't create the users table correctly, or not at all.

You mentioned that you wrote your own registration script, which means you probably created your own database table, and under a different name. See the posts above on how to correctly create the users table. Or you could just change the mysql queries to query the table you created instead of users, just make sure it has username and password fields, and of correct lengths. Let us know.

Is there a MySQL menu?

Submitted by HannesRulez on February 24, 2004 - 21:34.

Sry again! But is there a MySQL Men

How do I creat the table?????

Submitted by HannesRulez on February 24, 2004 - 21:36.

Sry again! But is there a MySQL Menu where i can creat this users table? or how do I install it?

i found it

Submitted by Geforcy on February 25, 2004 - 00:06.

my database name was spelled wrong.... noob i am!

My Table

Submitted by CoolFox31 on February 25, 2004 - 03:44.

Here is how I created my table CREATE TABLE `users` ( `id` smallint(6) NOT NULL auto_increment, `username` varchar(16) binary NOT NULL default '', `password` varchar(32) binary NOT NULL default '', `email` varchar(50) NOT NULL default '', `gender` int(1) NOT NULL default '0', `access` tinyint(1) NOT NULL default '0', `signup_ip` varchar(20) NOT NULL default '', `join` varchar(19) NOT NULL default '0000-00-00 00:00:00', `aim` varchar(30) NOT NULL default '', `msn` varchar(50) NOT NULL default '', `yahoo` varchar(30) NOT NULL default '', `icq` varchar(20) NOT NULL default '', `bday_day` int(2) NOT NULL default '0', `bday_month` int(2) NOT NULL default '0', `bday_year` int(4) NOT NULL default '0', PRIMARY KEY (`id`), KEY `bday_day` (`bday_day`), KEY `bday_month` (`bday_month`,`bday_year`) )

Thx but no?!!

Submitted by HannesRulez on February 25, 2004 - 04:09.

Hi! I think you are missing my point! I have this file on my server called "users.sql" looks like this

CREATE TABLE users (

username varchar(30),

password varchar(32));

I this right calling it .sql? And how do I create the table in my MySQL database? That's my question: How do I use the users table and create it??????

thx again Hannes

Password & Username

Submitted by JayMarx on February 25, 2004 - 04:47.

Probably a massively silly question: I can only use this script if I delete the username and password from the database.php file. If I dont I get an error like this: Warning: mysql_connect(): Access denied for user: 'user@localhost' (Using password: YES) in c:\inetpub\wwwroot\database.php on line 6 Access denied for user: 'user@localhost' (Using password: YES) Is this some kind mysql config error? I imagine it isnt very secure this way.

Start of page header

Article Categories

Highest rated articles

Submit

Recent comments

PHP Login Script with Remember Me Feature

Want more?

JP

Introduction

Goals

Notes

Database

database.php

Allow Users to Sign-Up

register.php

Note

Allow Users to Log-In

login.php

Note

Remember Me Feature

Allow Users to Log-Out

logout.php

Flat File Database

Usage

Example: main.php

Example: main2.php

Improvements

Conclusion