How can I access user information after logging them in?

Question

I'm building a basic application and I'm trying to figure out how I can pass the user information from login.php to index.php. Here's what I got so far: I have a login page that submits and authenticates the user through the database through a user class. After that, the user properties are set to the values that are returned from the database. From there the id is stored in a session. How would I go about accessing user information from page to page. Should I just build a construct method to query the database with the session id? Is that a safe or valid approach? An example would be stack overflow. The way you can see your username at the top of every page.

Answer 1

Sounds like you have the general idea of session handling down. So you're just asking what method is secure, or optimized or whatever.

It is common to store as little info in the session or cookie as possible so you don't open your users up to simple fishing hacks. So ideally that means you have a session table in the database that you can cross reference with the session id.

Yes, you would run a query on every page load, but that's not really that much overhead on a standard site. And it is not unsecure so long as you properly sanitize your input. That way you won't be brought down if the user manipulates their session info.

Alternatively, if you're just using the user id and a username, you can safely store those in the session and avoid a query on every page load. Just don't go nuts filling session or cookie data up with extremely long arrays filled with uncommonly used information.

Answer 2

In your login page, store user information from database in a session, on the other pages, you can directly call them

<?php
session_start(); 
$_SESSION['user'] = $username;

and on the other site

<?php
session_start();
$_SESSION['user'];

Answer 3

I'm building a basic application and I'm trying to figure out how I can pass the user information from login.php to index.php

One way is to store the shared data as PHP session data: http://www.tizag.com/phpT/phpsessions.php

<?php
session_start(); // start the session

$_SESSION['views'] = 1; // store session data
echo "Pageviews = ". $_SESSION['views']; //retrieve data

Store the user data you need for all pages. You can leave extended data in the DB, so you don't have to query a ton of data up front (like the exhaustive statistics you'd see on the profile page on SO).

Then you won't have to re-query user data on every page. Just retrieve it from session data.

Should I just build a construct method to query the database with the session id? Is that a safe or valid approach?

If you are using the same DB account for everything, there's not anything inherently less safe about querying the user table. You won't expose yourself to any more risk than any other query you're already doing.

If you're worried about safety when accessing the DB, I suggest you learn about a concrete problem: preventing SQL injection attacks.

See: How can I prevent SQL injection in PHP?