2

So, I'm trying to create a log in function for a web app.

The login is handled by a JSON interface. The user enters a username and password which are checked, and if they are correct, the JSON interface sends back a token. This is where the session should start, I guess.

<script>  
  $(document).ready(function(){
   $("#loginForm").validate({
    rules: {
      username: {
        required: true,
        digits: true
      },
      password: {
        required: true
      }
    },

    submitHandler: function(form) {
      data = JSON.stringify({
        "jsonrpc": "2.0",
        "method": "login",
        "params": {
          "params": {
            "username": $('#username').val(),
            "password":  $('#password').val()
          }
        }
      });

      $.ajax({
        url:"http://domain.local:1234/trip",
        type:"POST",
        crossDomain: true,
        dataType: "json",
        data : data,
        headers: {
          'Content-Type': "application/json; charset=utf-8"
        },
        success: function(data){
          if(data.result.token != null) {
            window.location.href = "functions/login.php?token=" + data.result.token;
          }

          else $("#result").html("Invalid username and/or password."); 
        }
      });
      return false;
      }
    });
  });
</script>

My login.php is where the session handling should occur (right?). If possible at all, I'd like not to use cookies. So far, this is the only thing I've got (this is my first attempt with sessions).

<?php
  session_start();
  $token = $_POST['token'];
?>

When the user is logged in, I need them to be sent to overview.php. Should this be done from the login.php file when there's a token, or should it be done from index.php instead of heading to login.php?

Also, how do I check if there's an active session on the pages the user visits? I need the token on every page to make new calls to the JSON interface.

Lastly, I when the user needs to log out, I guess I would just head them to logout.php or something like that and end the session there?

Thank you so much for your help!

Improve this question
1
  • 1
    $_POST['token']; should be $_GET['token']; as you are passing it in the url. Commented Oct 31, 2012 at 11:20

1 Answer 1

Reset to default
1

These are the basic setups that you can use for a simple (not secure) login system.

login.php:

<?php
    session_start();
    if(isset($_GET['token']) && !empty($_GET['token']))
        $_SESSION['token']== $_GET['token'];

    if(isset($_SESSION['token'] && [OTHER CHECKS YOU MIGHT WANT TO DO TO SEE WETHER HE IS LOGGED IN]){
        header('Location: overview.php');
    }
?>

logout.php

<?php
    session_start();
    unset($_SESSION['token']);
    //redirect to desired page
?>

Also on every page you only want to show to logged in user you need to add session_start(); and a check to see wether he is still logged in using $_SESSION['token']. If he is no longer logged in you need to redirect him somewhere else.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

u need to check whether the get value of token is same as that in session have u done that?
this is just basic login logout script, I have said that everywhere he only wants to allow logged in users he needs to check according to to his preferences.
Thanks, I know this is not secure, I'm taking care of that later :) Now I just need the login to work, so I'll give this a shot.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.