Sessions in PHP+MySQL (very confused!)

[motorollin]

OT I know, but I don't really know where else to ask. I tried a PHP forum but the responses I got weren't very helpful.

I'm writing an online, multiplayer text-based game. My aim is for the game to be totally cross platform, including Amiga, PC, Mac, *nix boxes using Lynx, PDAs, etc etc. The game is therefore written in PHP with a MySQL back end, with all output being plain text and all input being hyperlinks which pass commands back into the PHP script in the URL. All very compatible and easy so far :-)

My problem is that, if I understand correctly, in order to make the game multi-user, I have to implement sessions on the site so that people can log in to it and remain logged in as they move around the site. I have read the PHP manual on sessions, but still don't understand! I was hoping someone who has actually implemented sessions in PHP could point me to a simple tutorial, or better yet explain exactly what I need to do.

Thanks in advance for any help!

--
moto

[motorollin]

Hi Nycran! Thanks for your reply - really helpful! Checking the username I can do, that's easy. ("users" table in database with username/password fields, simple MySQL query and PHP code to check they match.)

A couple of questions about the rest:

1. I can use PHP to create a random string to ID the user. Would I then need to write this to their record in the "users" table to link the ID with the user?

2. If the ID is stored as a cookie, what would in theory stop the user from modifying the contents of the cookie to another user's ID and assuming their identity? I guess this is made less likely by making the ID string extremely long, but it's still a possibility, right?

Thanks again!

--
moto

[motorollin]

Ok, I think I understand the process now.

1. PHP script checks for a session ID stored as a cookie on the user's machine. If this is found, then the session is re-established so the user is logged on without having to type logon credentials. This is done every time a page is loaded to keep the user logged on.

2. If no cookie is found, the user is prompted for logon credentials. These are validated by the PHP script. Assuming the logon credentials match, a session ID is generated and stored as a cookie. Question: presumably this session ID needs to be stored on the server for later checking. Where is it kept?

Cheers

--
moto

[motorollin]

Thanks for the info. I'm still confused by this, but feel a bit more ready to tackle the PHP Sessions documentation (again).

Is there a reason why this would not work:

1. User is asked to log in
2. Logon credentials are validated
3. Unique session ID generated and stored both as cookie and also in the user's record in the "users" table of the database
4. Every time a page is loaded it retrieves the session ID from the cookie, then searches the users table and finds which user is associated with that session ID
5. The site acts as though that user has logged on

.....

6. User returns to site for another visit
7. Cookie still exists - goto 4

.....

8. User returns to site for another visit
9. Cookie has expired - goto 1

--EDIT
I've done a diagram of how I see this working.

Cheers

--
moto

[motorollin]

Don't apologise - I appreciate all the input :-) There is lots of information which is read from the database each time a page loads or is refreshed - i.e. the user's status in the game. Checking a session ID would be just one more of many transactions.

Currently, the page loads immediately. However, this is with just me using the database. I understand that the more people there are logged on the slower it will be. Maybe by the time there are enough people playing the game to make a difference to the speed of the database I will be able to afford to upgrade the server :-)

--
moto

[motorollin]

Hi Karlos

The game is very database intensive and will require access to the database to do anything. There are not really any user variables, only the ones used to log in. So changing the way users log in won't really affect the efficiency of the code.

You are correct, that assuming somebody else's identity in the game will only allow them to cheat. That's not ideal, but I think I can minimise the risk.

Thanks everyone for your help!

--
moto

[motorollin]

Thanks again everyone. I got it working using the diagram I drew (setting sessionID cookie and storing in user table, then comparing them each page refresh to keep the user logged on). As I said the game is database hungry anyway so I don't think this one extra step will make much of a difference.

--
moto

[motorollin]

Thanks Nycran :-)

What's a correlated subquery? My guess would be where you run a query to find a value from the database (e.g. query on session ID to find the user's name) then feed that value back in to another query (e.g. query on username to get the user's status in the game).

I'm probably totally wrong though :-)

--
moto

[motorollin]

I didn't know you could nest queries like that. I would do this:

SELECT username FROM users WHERE sessionID = '$_COOKIE['sessionid'];
then store the username in a variable in PHP, then do
SELECT * FROM status WHERE username = '$username';

I guess your way is more efficient (in speed and code).

--
moto