8 SESSION

We don’t want just anyone to be able to come along and edit our blog. Let’s make an effort to protect it. In this effort, we will encounter another super global “$_SESSION[]” along the way. We’ll be pretending this is secure. In “real world” applications, it’s best to go with an established method and not reinvent the wheel yourself. But, for us right now, reinventing the wheel might prove to be an enlightening experience!

So, what’s this “$_SESSION” super global do? It holds information about the user and their session with the server. This is where you might find a username or perhaps time zone details and other personal settings.

We’ll create a session in one line at the top of index.php and then store “true” in “$_SESSION[‘authenticated’]” when the client proves they know a secret pin. We should take care to hide the “edit mode” from users who aren’t logged-in. For a user who wants to log in, navigating to edit mode will prompt them for the pin. It’s not the best security method, but this method of security by obscurity does work. Keep the sensitive details out of sight. Why advertise your log in portal with a link from your navigation bar? Users who are in the know, will know to navigate to the log in page, no need to post it publicly!

Here’s our updated code:

<?php

// start a session
session_start();

// super secret not very secure pin
$secret_pin = "123456";

// Check if the secret pin form was submitted
if(!empty($_POST["pin"])) {
    // check pin for correctness
    if($_POST["pin"] == $secret_pin){
        // set clients status to authenticated
        $_SESSION['authenticated'] = true;
    }
}

// If the form was submitted write changes to file
if(!empty($_POST["text"])) {
    // file_put_contentes writes to file
    file_put_contents('index.html',$_POST["text"]);
}

if(isset($_GET['edit'])) {
    // check for auth
    if(isset($_SESSION['authenticated'])) {
        // file_get_contents reads from file
        $file_contents = file_get_contents('index.html');
        // echo our form elements with $file_contents in the textarea
        echo '<form method="post" action="index.php">';
        echo '<textarea id="text" name="text">';
        echo $file_contents;
        echo '</textarea>';
        echo '<input type="submit" value="submit">';
        echo '</form>';
    } else {
        // if not authenticated
        // echo our form elements with $file_contents in the textarea
        echo '<form method="post" action="index.php">';
        echo '<input type="text" name="pin">';
        echo '<input type="submit" value="submit">';
        echo '</form>';
    }
} else {
    // render index.html
    require('index.html');
    // link to access edit mode only show to authenticated users
    if(isset($_SESSION['authenticated'])) {
        echo '<a href="/?edit=true">Edit</a>';
    }
}

Serve your web application by running: >php -S localhost:8080 index.php

Navigate to http://localhost:8080?edit to log in. That’s it! We’ve somewhat secured the simple blog we made in the last chapter. By no means is this secure-secure, but it is at least better than nothing!

Exercises:

  1. A PHP file might be revealed by the browser in certain circumstances. For example, forget an opening “<?php” and a chunk of code might show up in the browser. To prevent this from ever happening with “$secret_pin”, try to isolate that code in another file and load it into index.php instead.

  2. Imagine you shared this simple blog with a friend and they were making edits at the same time as you. What kind of errors could happen as a result? How might you prevent those errors?