sessions and cookies

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • pradeepjain
    Contributor
    • Jul 2007
    • 563
    #1

    sessions and cookies

    Hii,
    I am starting to learn about sessions and cookies...i need some help or suggestions

    I have a form where in a user fills the form and then previews the page which is the second page and then submits the form in preview page.and then thanks message in the 3rd page after submission.

    now i don't want the user to go to 2nd page directly by knowing the url bcos he can skip the java script validation ..and after submission when the submission is finished when thanks message gets displayed the session must expire bcos when he refreshes the page the form submission gets done again.


    thanks,
    Pradeep
    Tags: None
    • rohypnol
      New Member
      • Dec 2007
      • 54
      #2
      Hello,

      You mustn't rely on JavaScript validation. That's just a guide to prevent the user from submitting the page multiple times and getting error messages. JavaScript helps the user by displaying error messages as soon as possible.

      Your first page must contain form validation JavaScript, to help the user and the form method should be POST to the second page.

      The second page should begin with session_start(), then it should validate the form elements (you have to validate everything on the server again). If the input is OK, put all the input elements in an associative array and then put the array in $_SESSION
      Code:
      session_start();
if (empty($_POST['first_name'])) header('Location: page1.php'); // if the user tried to trick us by messing with the JavaScript, send him back!
if (empty($_POST['last_name'])) header('Location: page1.php'); // if the user tried to trick us by messing with the JavaScript, send him back!
$user_data = Array(
  'first_name' => $_POST['first_name'],
  'last_name' => $_POST['last_name']
  );
$_SESSION['page1_input'] = $user_data;
      Then you echo the confirmation HTML. With a form that doesn't contain any input elements, just redirects the user to page3.php.

      The third page should also begin with session_start() because ALL the pages that want to work with session variables need to initialize the session when they're requested. Then it should use the information in $_SESSION
      Code:
      session_start();
if (!isset($_SESSION['page1_input'])) header('Location: page1.php'); // user tried to load this page directly, without passing through pages1 and 2.
processInformationInUserDataAssociativeArray($_SESSION['page1_input']);
unset($_SESSION['page1_input']);
      And now it should say thanks.

      Keep in mind that anyone can disable JavaScript on their browser and anyone can replace YOUR JavaScript with THEIR own JavaScript code! Anyone can easily emulate form submission with both the GET and POST method and they can even emulate the form as being posted from your own domain when it's not. Never say "never," there's always some idiot trying to mess with your website to steal information, so you should follow at least the steps I've posted above.
      If you have any questions regarding this process, let me know :)

      Hope this helps,
      Tom

        Comment

        Previous template Next
        Working...