It might be possible you and your friend have a misunderstanding about
the role of the cookie.
He possibly thinks he isn't storing any sensitive information in cookies
(as he shouldn't). He is "only" storing the session-id.
(Not sure, I am guessing here)
No problem. I like to help. :-)
>
> I thought session variables were tight to a session with a particular
> client.
That is correct.
> Let's say you have 2 registered users in your database, Charles and
> Aude. On you main page you have a "connection" link that leads you to a
> form where you're asked for your name. The client enter "Charles", the
> server checks and sees "Charles" in the database. It founds it, fill in
> a "name" session variable with "Charles" and eventually retrieve
> Charles' personal information in the database.
OK.
>
> Now Aude comes in and connect too.
>
> The server is dealing with 2 sets of session variables. It knows that
> Charles and Aude are connected (and will be connected for ever until
> they restart their browsers).
correct.
>
> So now:
> If Charles click to visit further the website, the server *has* to know
> that it's dealing with the set of session variable where name="Charles",
> with that particular session, no?
Maybe.
What actually happens (but I didn't see your code of course) is
something like this:
1) You present the visitor a page with a login: username and password
for example.
They reside in a form. Form is posted, and server does something like this:
<?php
session_start(); // Or use session.autostart in php.ini
// Receive posting
$username = $_POST["username"];
$password = $_POST["password "];
// Check against database:
$SQL = "SELECT userid, isadmin, cansendemail FROM tblusers where
((username={$username}) AND (password={$password}))";
// NEVER use the above example as I posted.
// You should make sure you are not vunurable to SQL injection
// make sure you escaped $username and $password properly.
// some phantasy execute:
$RS = $conn->getAllAssoc($SQL);
if (isset($RS[0])){
// OK, we know this person.
// Now here the session gets filled
$_SESSION["validUser"] = "Y";
$_SESSION["userid"] = $RS[0]["userid"];
$_SESSION["isadmin"] = $RS[0]["isadmin"];
$_SESSION["cansendemail"] = $RS[0]["cansendemail"];
header("location:
http://www.blabla.com/customersOnly.php");
exit;
} else {
// wrong username/password
}
?>
The latter part is what matters.
The session is already running (and will be accessible from every page
that has session_start() at the top).
You set some values in it, in my example:
$_SESSION["validUser"]
$_SESSION["userid"]
$_SESSION["isadmin"]
$_SESSION["cansendemail"]
Now from some other page, eg customersOnly.php, you can check if the
visitor is logged in correctly, simply by checking $_SESSION["validUser"].
eg:
<?php
if ( isset($_SESSION["validUser"]) && ($_SESSION["validUser"]=="Y")){
// do stuff.
} else {
// not welcome
}
?>
Remember the content of $_SESSION never leave the server, but PHP can
use them whenever you need access to them.
> If so, on each page of the website Charles visit, the server could first
> test for the value of the name variable and if present in the database
> prints whatever it wants about Charles.
No. The database is NOT involved.
(Unless you write your own session handler, which is, I expect, not
happening since your friend just started coding.)
Of course you can check against the database every request, but that is
a huge waste of resources.
You should check once, and then rely on the values you have set in your
session. Like my example above with $_SESSION["validUser"].
>
> Does it makes sense?
> Of course, in real world you would check for a password too.
>
I hope my example helps you understand the interaction between login
(with or without password), session, and subsequent checks on other
pages against the values in the session.
Also, don't take my word for it.
Use a webbrowser like Firefox, install an extension named webdeveloper,
or one of the many others, and you can easily see all the cookies going
round.
You will see only 1 session-cookie coming from PHP.