aebstract Posted June 26, 2008 Share Posted June 26, 2008 First of all, this is my first time doing anything with cookies, though it seems to be easy enough. Problem is, they aren't doing what they should. I log a user in with a session and keep them on with that. What I want to do is, if they choose to stay logged in, set their session id with a cookie. When they come back, if the session id isn't set, set it with that cookie. I've read that when you close a browser it will clear/reset cookies but if you set an expiration time then it will be saved, so I have this: login page if(mysql_num_rows($result) == 0) { $error .= "The pasword you entered did not match the plant location you chose."; } else { $worked = mysql_fetch_array($result); $_SESSION["id"] = $worked['plant']; $uid=$worked['user_id']; $lastlogin= date("m/d/Y g:i A"); mysql_query("UPDATE users SET lastlogin='$lastlogin' WHERE user_id=$uid LIMIT 1") or DIE(mysql_error()); $postsessid = $worked['plant']; setcookie ('savedid', '$postsessid', time()+5256000); header("Location: /accounthome/"); exit; } and the index where it reads this if (!isset($_SESSION[id])) { if (isset($_COOKIE['savedid'])) { $_SESSION["id"] = $_COOKIE['savedid']; } } Quote Link to comment Share on other sites More sharing options...
aebstract Posted June 26, 2008 Author Share Posted June 26, 2008 bump Quote Link to comment Share on other sites More sharing options...
aebstract Posted June 26, 2008 Author Share Posted June 26, 2008 bump O.o Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted June 26, 2008 Share Posted June 26, 2008 There is a good chance the session attached to that ID no longer exists on the server. If you want to create a remember me function, the best thing to do is to store the user's ID or username in a cookie along with a unique token. You store this same unique token in the user's row in the users table. When a guest visits your site, you check for the username and token in the cookie and see if they match in the database as well. If they do, you can auto-login that user. Do not store the user's password or an easily guessed value in the cookie as clever people will figure it out. You want the token to be unique and constantly changing so the chances of someone guessing the proper token for a username is slim to none. Quote Link to comment Share on other sites More sharing options...
aebstract Posted June 30, 2008 Author Share Posted June 30, 2008 I set the session by using the users unique id that they have, ie; 1,2,3,4,5 etc. With what you said, I made a unique 10-13 char. key for verification, though I guess it is just a little extra security, not 100% needed. I just can't get it to set a session with the stored id in the cookie. on the login page: if (isset($_POST['stayloggedin'])) { $postsessid = $worked['plant']; setcookie ('savedid', '$postsessid', time()+5256000); $numchars = rand(12,15); $chars = explode(',','a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,0,1,2,3,4,5,6,7,8,9'); $random=''; for($i=0; $i<$numchars;$i++) { $random.=$chars[rand(0,count($chars)-1)]; } setcookie ('savedkey','$random', time()+5256000); mysql_query("UPDATE users SET randomkey='$random' WHERE user_id=$uid LIMIT 1") or DIE(mysql_error()); } header("Location: /accounthome/"); exit; } the checkbox (I don't use them often, maybe I messed it up) <input type="checkbox" name="stayloggedin" /> the index if (!isset($_SESSION[id])) { if (isset($_COOKIE['savedid'])) { $result = mysql_query("SELECT * FROM `users` WHERE `plant` = '$_COOKIE[savedid]' AND `randomkey` = '$_COOKIE['savedkey']'") or die("Query error: ".mysql_error()); if(mysql_num_rows($result) == 0) { echo "Cookies modified or invalid."; } else { $worked = mysql_fetch_array($result); $_SESSION["id"] = $worked['plant']; $uid=$worked['user_id']; $lastlogin= date("m/d/Y g:i A"); mysql_query("UPDATE users SET lastlogin='$lastlogin' WHERE user_id=$uid LIMIT 1") or DIE(mysql_error()); $postsessid = $worked['plant']; setcookie ('savedid', '$postsessid', time()+5256000); $numchars = rand(12,15); $chars = explode(',','a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,0,1,2,3,4,5,6,7,8,9'); $random=''; for($i=0; $i<$numchars;$i++) { $random.=$chars[rand(0,count($chars)-1)]; setcookie ('savedkey','$random', time()+5256000); mysql_query("UPDATE users SET randomkey='$random' WHERE user_id=$uid LIMIT 1") or DIE(mysql_error()); } $_SESSION["id"] = $_COOKIE['savedid']; } } Quote Link to comment Share on other sites More sharing options...
LooieENG Posted June 30, 2008 Share Posted June 30, 2008 On the setcookie(), should the $postsessid variable be in single quotes? Quote Link to comment Share on other sites More sharing options...
aebstract Posted June 30, 2008 Author Share Posted June 30, 2008 I'll try without, might be the problem (prob. original code would have worked if that is the problem). Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 1, 2008 Author Share Posted July 1, 2008 Okay, I know I am setting the cookie correctly. My login script sets a session like so: $_SESSION["id"] = $worked['plant']; and doesn't have a problem. I looked in my cookies for my browser, I see cookie "savedid" with content "92" which is correct, and the value of $worked['plant']. With this said, how come when I visit the site after reloading the browser, I am not logged in with this script in my index: $cookieid = $HTTP_COOKIE_VARS["savedid"]; if (isset($_SESSION[id])){ include "connect.php"; } elseif (isset($cookieid)) { $_SESSION["id"] = $cookieid; include "connect.php"; setcookie ('savedid', $cookieid, time()+5256000); } Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 1, 2008 Author Share Posted July 1, 2008 I can't even echo savedid: echo $_COOKIE['savedid']; displays nothing. Quote Link to comment Share on other sites More sharing options...
LooieENG Posted July 1, 2008 Share Posted July 1, 2008 printr($_COOKIE['savedid']); Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 1, 2008 Author Share Posted July 1, 2008 That can't be right? All I get with that is a white page. Quote Link to comment Share on other sites More sharing options...
LooieENG Posted July 1, 2008 Share Posted July 1, 2008 sorry, it's print_r() Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 1, 2008 Author Share Posted July 1, 2008 Isn't doing a thing. Quote Link to comment Share on other sites More sharing options...
LooieENG Posted July 1, 2008 Share Posted July 1, 2008 Sorry, it's just print_r($_COOKIE); Should say Arrary( ) if there's no values stored Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 1, 2008 Author Share Posted July 1, 2008 Array ( [__utma] => 250445717.1368899236585890600.1214858623.1214927845.1214933903.6 [__utmz] => 250445717.1214858623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) [phpSESSID] => epblm5910n9u00l6ncjevqoer0 [__utmc] => 250445717 ) Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 1, 2008 Author Share Posted July 1, 2008 none of those I set, and it isn't showing my cookie that I set that I CAN see through my browser tools. Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 1, 2008 Author Share Posted July 1, 2008 no ideas on whats going on here? Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 2, 2008 Author Share Posted July 2, 2008 -bump- Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 2, 2008 Author Share Posted July 2, 2008 any ideas? Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted July 2, 2008 Share Posted July 2, 2008 First, don't use $HTTP_COOKIE_VARS as it is deprecated. Use $_COOKIE instead. You should also be aware that cookies are set for the domain and that http://yoursite.com and http://www.yoursite.com are two different domains. So make sure you are not setting the cookie on a yoursite.com URL and then trying to read it on a www.yoursite.com URL. The best thing to do when you are having problems with something is to simplify it into a "proof of concept" script. Create a folder called test and create individual scripts inside it, where each script is a single proof of concept. set_cookie.php - sets a cookie value read_cookie.php - looks for the value and displays it delete_cookie.php - removes the cookie You can create those as a single script if you think you can handle it. But the point of a proof of concept is to keep it simple. If all you are trying to do is set a cookie and it's not being set, you don't have a lot of other crap in your way to bog you down. To implement a "remember me" feature you have to do two things. When a user logs into the site: Does the user have "Remember me" checked? No - Log in as normal (via sessions) Yes - Create a unique key for the user. Store this unique key in the user's row in the database. Store encrypt(user_name) and encrypt(unique_key) in the cookie. Log the user in as normal (via sessions) Anytime a user visits your site and is not already logged in: Does the user have a cookie with the user_name and unique_key values?( No - This is not a remember me user, treat as a guest. Yes - This is a remember me user. Get the cookie values and decrypt. Try to SELECT the matching row from the database. If no row is found, do not log the user in. If a row is found, log the user in via sessions. Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 3, 2008 Author Share Posted July 3, 2008 Okay I have all of those bottom features set up, though about the domain being exact everytime.. Is there any work around for that? If I go to domain.com and then when I go to type it back in I see it pop up below as http://domain.com and click it, I won't be logged in? Anyway around that? Would the best thing be to create a cookie for each domain at once? Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted July 3, 2008 Share Posted July 3, 2008 You can create a redirect rule in httpd.conf or an .htaccess file to redirect all requests without a www to the domain with www. You will have to do this for each of the sub-folders of your site that contain URL-accessible scripts unless you are sending all requests through a single index.php via mod_rewrite. Quote Link to comment Share on other sites More sharing options...
aebstract Posted July 7, 2008 Author Share Posted July 7, 2008 if (isset($_POST['stayloggedin'])) { $postsessid = $worked['plant']; setcookie ('savedid', $postsessid, time()+5256000, "https://berryequipment.net/"); setcookie ('savedid', $postsessid, time()+5256000, "https://www.berryequipment.net/"); Here is the cookie being set now, and it does so. I still can't get to stay logged in. My index.php has a little script that if you aren't on https that you get redirected to it, so that is why I put the https in front of both, and I could get it rewrote with the www. but the thing is that it still isn't working with either cookie atm. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.