Building Browsergames: forcing users to log in (PHP)

While we’ve been building our game, we haven’t really been focusing too much on securing our game against users who haven’t logged in yet. Most of our pages rely on the fact that the user needs to be logged in to see them, and they’ll break horribly if the user isn’t. So today, we’re going to add some handling to our game that will make sure that users are logged in before they try to access something.

You might be wondering how we’re going to figure out whether a user is logged in or not. And the answer to that question is a lot simpler than you might think: we’ll just use what we already have.

Any of our pages that use our stats code have a snippet at the top of them that retrieves the current user’s User ID, so that we can interact with their stats. We can use that code as our starting point – here’s a refresher on what it looks like:

1
2
3
4
5
6
7
8
9
10
session_start();
 
require_once 'config.php';		// our database settings
$conn = mysql_connect($dbhost,$dbuser,$dbpass)
	or die('Error connecting to mysql');
mysql_select_db($dbname);
$query = sprintf("SELECT id FROM users WHERE UPPER(username) = UPPER('%s')",
			mysql_real_escape_string($_SESSION['username']));
$result = mysql_query($query);
list($userID) = mysql_fetch_row($result);

All we do in that code is retrieve the username we stored into session, and then use that value in our SQL to find out what the user’s User ID is. We can easily modify that code, to do a quick check to see what was returned and redirect based on whether or not anything came back:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
 
session_start();
 
require_once 'config.php';		// our database settings
$conn = mysql_connect($dbhost,$dbuser,$dbpass)
	or die('Error connecting to mysql');
mysql_select_db($dbname);
$query = sprintf("SELECT id FROM users WHERE UPPER(username) = UPPER('%s')",
			mysql_real_escape_string($_SESSION['username']));
$result = mysql_query($query);
list($userID) = mysql_fetch_row($result);
if(!$userID) {
	// not logged in!
	header('Location: login.php');	
}
 
?>

If you save that file as login-check.php, you can now add this line to any file that you want to require a login for:

1
require_once 'login-check.php';

And if a user attempts to access the page without having logged in first, they’ll be automatically redirected to the login page. Easy!

Wish there was more?

I'm considering writing an ebook - click here.

.

Luke is the primary editor of Building Browsergames, and has written a large portion of the articles that you read here. He generally has no idea what to say when asked to write about himself in the third person.

Tuesday, June 24th, 2008 buildingbrowsergames, code, design, php, security
  • kic

    What about storing user's IP in the session variable when they log in additionally and check whether it matches current IP on every login check? Wouldn't it make the whole process a bit safer?

  • MrLollige

    I just realized: Isn't this very unsercure? If I create a cookie myself that has your username in it, I am automatically logged in on your account right?

    And why do this instead of just checking if there still is a cookie? I do not need to know the user ID anyway.
    Also, in my version of the game I am making with your tutorial, I stored the ID in the cookie too, because you really need it often. Or is retrieving data from the database faster/better than retrieving data from a cookie?

    Please explain what and why you did this :)

  • Realistically, any authentication system you build is unsecure - but PHP's
    sessions are 'safe enough'. As far as I'm aware(although I'm sure someone
    will correct me if I'm wrong), sessions are stored in an encrypted format in
    the cookie - which makes it a little harder for an attacker to just create a
    cookie with your username inside it.
    Storing the ID does seem like a better way to do it, if you're going to need
    the ID very often - it's definitely faster to retrieve something from a
    cookie than the database.

  • MrLollige

    I expected sessions were just a form of standard cookies. But it seems they are not, and secure as you said :)
    Thanks for sharing this information!

  • MrLollige

    Ill do some research on phps sessions function, that will get me more information :D
    Thanks again for your reply!

    (Still even an encrypted cookie is copyable. If you see a computer where someone is logged in, you could copy the cookie and use it yourself forever. But I am not planning on working with session IDs -_-)

blog comments powered by Disqus

About

Building Browsergames is a blog about browsergames(also known as PBBG's). It's geared towards the beginner to intermediate developer who has an interest in building their own browsergame.

Sponsors

Got Something to Say?

Send an e-mail to luke@buildingbrowsergames.com, or get in touch through Twitter at http://twitter.com/bbrowsergames