I don't see any problems using sessions.

The way I display a welcome message like you are doing is like this

1 - in my php script that checks if the username/password are correct when a user tries to log in, if the username/password match (meaning the user is a valid member) I then assign a session variable called $_SESSION['fName'] and assign it the value of the member's first name in the database table.

2 - then on every page where the user needs to be logged in, after the code at the top of the page establishes the user is legitimately logged in you can

or a message along those lines wherever you need to.

While the user is on the site using sessions are fine.

As we've all tried explaining to you previously (and you were determined not to listen to) the reason that we advised against sessions in your registration process was because of users then closing the window (while they go to check their email) and then the session beling lost. There is a MASSIVE difference between that scenario and this.

Sessions are fine for short term temporary usage but for anything where the user may close the browser, always use a database.

Come on kids, be nice.... OR ELSE.
Sessions are great for that. You don't want to keep too much information in a session, though. Usually just a unique identifier(usually a user id referencing the DB) and maybe the name if you are going to use it on every page.

So for security reasons I should only be storing the "UserID" and "UserName"?

What about storing "returnToPage" which is the current page the user is on and the page they want to return to after they log in?!

Thanks,


Debbie

P.S. I was playing nice, but Tango and I seem to not communicate so well at times. Blame the Internet medium...

You don't really need to store the username if you are storing the user id because you can just look it up when you need to, but that's the general idea, yeah.
That's fine.

So what about this scenario...

A user is on the article "How to Incorporate Your Business" and wants to add a comment. The user is already a Member and so he/she clicks on "Log In".

When the Log-In screen appears (log_in2.php), I want the following displayed...

*******************************************
Please Log In to comment on the article:

"How to Incorporate Your Business"

E-mail:
Password:

*******************************************

When the user was previously on "www.mywebsite.com/articles/how-to-incorporate-your-business", that page was populated from my database and so I not only had the value for "ArticleID" stored in a variable, but also "Article Title".

If I stored the Article's Title in $_SESSION['articleTitle'], then I don't have to query my database twice (i.e. Once to build the article and and twice to build the Log-In form.)

I understand what you are saying about "Don't store everything in the Session, and just query more if you need it." However, my argument above has merits too, right?


Debbie

One or two database calls to retrieve the last page visited, a username, etc.. will not slow down a page enough to notice. Hence why MySQL and PHP work wonders together.

Here is how I usually run an authentication system (in which I use quite regularly)...
1. Query DB to check for username and password while logging in.
2. Store unique id of user from db into session (so I can identify user later on and retrieve more personal info from the db, should I need to). Also I use this to update a admin log to track users in case they screw something up, which uses another MySQL query.
3. I store the users full name in a session, because it's always displayed on the pages.
4. I store a "Is Logged In" session just for sanity checks.

I query my db a lot and have never slowed it down.
Except once when I had a loop that never ended, but that's a story for another time.

Sessions are your friend for lots of things, such as what you are trying to do. You can also check out the $_SERVER['HTTP_REFERER'] variable as it sometimes stores the last page the user was on. Although, this is sometimes hit and miss depending on the browser. I use it when available and if not, I redirect the user to the homepage of my site. They know the page they were on so they can find it again.

Okay, but if I am going from "article.php" to "log_in.php", why query the database *twice* on back-to-back pages when I can get everything I need (i.e. Article Name for Log-In page) in one trip?

If I needed the Article Name 10 pages down the road, then I'd query the database twice, but it seems to me for a case like this, just greab what you need and stash it in the Session. (Besides, it isn't like I'm storing anything sensitive in the Session or for a prolonged period, right?)


Debbie

You could... really it's preference of how you wish to do it. I would just query the database twice.

And queries for even tiny pieces of information don't take a toll on your site's performance?

I mean, for testing, no, but what if I had 500 concurrent users and I needed to make all of these repeated database calls to get each little tiny piece of info?!

That's gotta catch up with you?!


Debbie