maintaining login status across page refreshes

[lost hope]

hey guys,
on the main page of my site, i have a login area (user/pass text
boxes). when the user submits the form, the page is reloaded with with
a global php variable "loggedIn" set to true. i also store the
username and password in the page in a hidden form -- so that it can be
passed to other pages on the site through standard navigation
(maintaining the "loggedIn" status). however, is there any way to save
this information if the user hits refresh? as it stands, whenever the
user hits refresh, the user/pass data is lost, and loggedIn is set to
false. can this be worked around without using cookies? thanks!

 

[Random]

This is more of a PHP question than JavaScript. Take a look at PHP
sessions-- they do use cookies when they can, and don't when they
can't.

I'd say it's generally bad practice to have the password sent back and
forth so often, especially as the password might be cached by the
user's browser.

If you're not concerned about it (bad!), you might try having the
username and password as part of the URL
(mypage.php?username=Random&password=lost+hope)

though that's far worse, I should think...

 

[lost hope]

yeah, you're definitely right -- saving and passing around the password
is a bad idea. after i've verified that their username/pass is valid
(a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed
down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do what
you're suggesting, and do something like: "mypage.php?username=random",
however, then anyone could impersonate somebody else, by simply typing
"?username=random" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any way
to grab that info when the page is refreshed. unless i'm missing
something?

 

[Random]

The hidden form idea is still very easily forged.

What's to say I don't make a form, store it locally, and click a button
to impersonate someone?

<form action=http://losthope.com/mypage.php method=POST>
<input type=text name=username />
<input type=hidden name=loggedin value=1 />
<input type=submit value=Impersonate />
</form>

[File > Save As > C:\NameThief.html]

See what I mean?

Check out PHP sessions. They'll take care of you.

But if you absolutely want to do it with an embedded form field...
well, refreshing shouldn't make a difference, because theoretically the
browser should repeat the exact same HTTP request it used in the first
place. i.e. Same form data.

There is no (simple, reliable) way to make JavaScript help you here.
The entire JavaScript 'state' is lost upon page refresh.



(if you're adamant, you could use an unload event handler that opens a
new window which monitors the main window for a return to your site and
auto-re-populates the information you want, then closes itself. but
this is really a lot of trouble when PHP [which you're already
implementing] can do all of this automatically with sessions)

P.S.
Did I mention PHP sessions?

 

[lost hope]

heh, ok, PHP sessions it will be! i was wondering if one could easily
circumvent the hidden form part, and it certainly seems to be the case.
i suppose it's time for a bit o' php research thanks for the help!

The hidden form idea is still very easily forged.

What's to say I don't make a form, store it locally, and click a button
to impersonate someone?

<form action=http://losthope.com/mypage.php method=POST>
<input type=text name=username />
<input type=hidden name=loggedin value=1 />
<input type=submit value=Impersonate />
</form>

[File > Save As > C:\NameThief.html]

See what I mean?

Check out PHP sessions. They'll take care of you.

But if you absolutely want to do it with an embedded form field...
well, refreshing shouldn't make a difference, because theoretically the
browser should repeat the exact same HTTP request it used in the first
place. i.e. Same form data.

There is no (simple, reliable) way to make JavaScript help you here.
The entire JavaScript 'state' is lost upon page refresh.



(if you're adamant, you could use an unload event handler that opens a
new window which monitors the main window for a return to your site and
auto-re-populates the information you want, then closes itself. but
this is really a lot of trouble when PHP [which you're already
implementing] can do all of this automatically with sessions)

P.S.
Did I mention PHP sessions?

yeah, you're definitely right -- saving and passing around the password
is a bad idea. after i've verified that their username/pass is valid
(a database check), all i really need to pass around is the "login
status" and their "username" -- which could really just be condensed
down to username (when not null, the person is logged in). passing
around the username would allow them to post messages in their own
name, etc without having to continuously re-enter it. i could do what
you're suggesting, and do something like: "mypage.php?username=random",
however, then anyone could impersonate somebody else, by simply typing
"?username=random" into their browser. that's why i was trying to
store the username in a hidden form. but it seems there isn't any way
to grab that info when the page is refreshed. unless i'm missing
something?