Web hosting billing - Chapter 16 . PHP Development 487 The check_sessionfunction
Chapter 16 . PHP Development 487 The check_sessionfunction would normally be called from within another page. For example, I have a page called userpage.phpthat I do not want anyone to gain access to unless they are valid. Including a call to this function at the beginning of that page helps me ensure that the user has a valid cookie and is authorized to view the page. Validating the user and the cookie The query in the upcoming code snippet is the same one sent to actually validate the user and the cookie. $query = SELECT auth_group FROM user_table WHERE session = $cookie_session AND timestamp > (unix_timestamp() - 600) AND md5(user) = $cookie_user ; Here I m using the WHERE clause to look for three matches: . The session ID should match the one sent in the user cookie. . The timestamp in the user_tableis compared to the current time. If the timestamp is less than 10 minutes ago (600 seconds), then it s valid. . The user in the table (sent through md5) should match the md5ed user from the cookie. If all three of these values match appropriately, the cookie is valid. Using three values in the database to validate cookies makes it more difficult for a malicious user to fake a session ID to try to gain access to protected resources. Even if a user can fake a session ID, he or she must tie in that session ID with the encrypted username within the time specified in the query (in this case, 10 minutes). The function ends with a call to the PHP return() function. The function sends the value back to the calling program. return $row[ auth_group ]; As an example, here s the code that creates a page called userpage.php. That page calls the check_sessionfunction to validate the user before continuing. The code for the page is as follows: We recommend you use shared web hosting services, because many users agree that it is cheap, reliable and customer-satisfying webhost.