how to make a login session in php?

create a session variable after the successfull login.

eg:

if(username=$_POST['uname'] and pwd=$_POST['pwd'])

{

session_start();

$_SESSION['uid']='Admin';

}

and check the user is Admin or not in all pages which are only meant for admin only.(in your news.php page)

<?php

session_start();

if($_SESSION['uid']='Admin')

{

?>

all HTML code goes here

after the </html> close the bracket of if condition

<?php

}

else

{

header("Location:login.php"); // redirects to login page when user is not admin

}

?>

Only logged in users can see your page with this logic.

As a remark on the above poster, you CAN NOT modify a servers session variables from a firefox addon... your addon is clientside, the session vars are stored server side... no connection.

All that firefox has is the session id, not the session data itself. PHP should default that way, if its actually storing session data in the cookie, its insecure no matter how you look at it, never give your users access to the session info itself.

wow, I had to think about this one. its been a while since I've hand-coded php. First off they've both got to be .php not .html. Second, you need a database (I'll assume MySQL) to store the accounts with their credentials. And third, this example is extremely insecure:

signin.php:

<?php

//get the login credentials from the form

$name = $_POST['name'];

$pass = $_POST['pass'];

//try to find login credentials in your db

$query = "SELECT * FROM `users` WHERE `name` = '".$name."' and `pass` = '".$pass."'";

$result = mysql_query($query);

if(mysql_num_rows($result) != 0){ //match found

session_start();

$_SESSION['user'] = $user;

$_SESSION['logged_in'] = true;

}else{ //no match delete session cookie

unset($_SESSION['user'], $_SESSION['logged_in']);

}

?>

<!-- Display da Form -->

<form action="signin.php" method="POST">

<input name="name" type="text">

<input name="pass" type="password">

<input type="submit">

</form>

news.php

<?php

session_start();

if($_SESSION['logged_in'] != true){ //your not allowed to be here!

?><head>

<meta http-equiv="refresh" content="0;url=http://example.com/%22 />

</head>

<? }else{ ?>

<head>

<head stuff>

</head>

<body>

Howdy, <?php echo $_SESSION['user']; ?>

</body>

<? } ?>

This is STRICTLY to convey a concept. this method is very insecure because:

the stored password is unencrypted and not salted

Session variables can be easily changed (by web developer toolbar firefox extension for example)

The variables from the form aren't sanitized.

If your just getting into PHP programming, checkout CMS's like Joomla, wordpress, drupal, cakephp, and symfony (ordered from simplest, to most complex). CMS's are the future; nobody hand-codes anymore. This login for example, is automatically generated (and secure [some more than others]) in all of these CMSs. plus you won't have to learn a bunch of stuff that you'll never use.

To the poster below me:

Are you sure? Only because for this one site long long ago, I had my authentication create a randomhash and set it to $_SESSION['hash'] and write it in a mysql row. When they'd go to another page, the server would read the hash, look it up, and, if it was right, create a random hash and etc... it worked flawlessly. maybe its just because I always lumped $_SESSION with $_POST and $_GET which are also client-side... If your speaking the truth your kind of blowing my mind, here.

Edit:

just looked it up. You've blown my mind. My hat is off to you good sir.