Cookies

[whiteboikyle]

In all my login scripts have never used "cookies". Everything is ran by sessions. I am trying to make it so they "stay" logged in, but i understand by doing so you have to use cookies. Can someone explain to me how all this works?

[ohdang888]

http://us.php.net/set_cookie

[whiteboikyle]

Okay well for example

everything in the scripts is ran by your username. $_SESSION['myusername']

So how would i set a cookie but still use $_SESSION['myusername'] as everything.

also i heard there is security issues if i do cookie($_SESSION['myusername'])

[Ken2k7]

Unless the myusername holds a password, it's fine. You can cookie a user id if you want. But creating a cookie shouldn't affect your session variables. It'll be fine as long as you don't go assigning it to new values.

[whiteboikyle]

so would u just do $_COOKIE['cookieusername'] = $_SESSION['myusername'];

$_COOKIE['cookiepassword'] = $_SESSION['mypassword'];

and it would remember that user for awhile?

[Ken2k7]

I guess you didn't get the memo. Well, here it is explicitly - Don't cookie passwords!

[whiteboikyle]

So how would i set it up then ? I dont understand how a cookie works TBH.

[Ken2k7]

I'm not saying anything is wrong. Just don't cookie the user on their password. Someone else can get that information and I doubt users want their passwords hackable.

[whiteboikyle]

Okay so do i just do $_COOKIE['myusername'] = $_SESSION['myusername']; and bam they are logged in forever?

 

 

[Ken2k7]

I tend to use setcookie function. And no, they're not logged in forever. If the cookie is deleted, they'll have to log in again. You should give the cookie an expiration date.

[whiteboikyle]

and when they logout how do i delete the cookie?

[ohdang888]

set the cookie again, with an empty value

[premiso]

and when they logout how do i delete the cookie?

 

setcookie()

 

On the manual in the notes section

 

#  Cookies must be deleted with the same parameters as they were set with. If the value argument is an empty string, or FALSE, and all other arguments match a previous call to setcookie, then the cookie with the specified name will be deleted from the remote client. This is internally achieved by setting value to 'deleted' and expiration time to one year in past.

# Because setting a cookie with a value of FALSE will try to delete the cookie, you should not use boolean values. Instead, use 0 for FALSE and 1 for TRUE.

 

Set the value parameter to false and it will attempt to kill the cookie.

[whiteboikyle]

	if(isset($_POST['remember'])){
		setcookie("cookmyusername", md5($_SESSION['myusername']), time()+60*60*24*100, "/");
   		}

 

i did that. But its not working. I dont stayed logged in

[nadeemshafi9]

everytime a user logs in and ticks remebr me create a md5(rand(1,10000)), store this in the db in the user row as hash and store it in a cookie as hash, now in your authentication say if there is a cookie called blah check to see if the value of hash in the cookie is the same as the value of hash in the user row hash field. when the user logs out you can leave the value of hash on the cookie but delte it from the users db row this way they can only be rembered on one computer and the user cant fake it. if teh hash on teh cookie is the same as teh hash in teh users row field hash then allow them to bypass authentication otherwise check if the session exists otherwise redirect to login where the session and or teh cookie and db row feild hsash are set. if you want them rembered on multiple computers then you must create a comma seperated list of hashes or a user to hashes table

[whiteboikyle]

Is it a chance there could be a duplicate md5(rand, 10000)) ??

[nadeemshafi9]

Is it a chance there could be a duplicate md5(rand, 10000)) ??

 

yes so when you havee made the script work, then furtehr develop it to compensate by ckecking if it already exists and makign another one if it does

[ohdang888]

an easier and more efficent way to ensure its unique is by using the time and date function in the hashing... like so:

 

$key = md5(rand(1,10000).time().date('l jS F Y h:i:s A'))

 

OR, even better:

if you use session vars and have session_start at the top of the page, you can ensure the string is unique by using the unique session id...like this:

 

$key = md5(session_id());

 

[nadeemshafi9]

an easier and more efficent way to ensure its unique is by using the time and date function in the hashing... like so:

 

$key = md5(rand(1,10000).time().date('l jS F Y h:i:s A'))

 

OR, even better:

if you use session vars and have session_start at the top of the page, you can ensure the string is unique by using the unique session id...like this:

 

$key = md5(session_id());

 

 

yes the old time() concat trick nice