Jump to content

Recommended Posts

hey guys im the middle of making a login script but i have a few questions about cookies and sessions if anyone can help please

 

1. is the best way to use uset() the session/cookie?

 

2. also when set_cookie(); the parameter path what should this be set at?...im a bit confused

 

3. do i need to set any headers also? other than setting the header location?

 

thanks destramic

Link to comment
https://forums.phpfreaks.com/topic/204011-sessions-and-cookies/
Share on other sites

You're right it gets a unique hash for the user, it can be used for whatever you like (like identifying a user). But I always prefer to create my own hashes, to do this I usually hash a combination of the user id (or ip address), microtime and a random number. for example...

<?php

$hash =md5($user_id . microtime() . mt_rand(1, 99999));

?>

 

thanks...well ive almost finished my script...but im having a problem when loading this script

 

	public function set_cookies()
{
	$time   = time() + 3600 * 24 * $this->cookie_expiry_day;
	$domain = $_SERVER['SERVER_ADDR'];

	setcookie ("user_id", $this->user_id, $time, "/", $domain, true, false);
	setcookie ("username", $this->username, $time, "/", $domain, true, false);
	setcookie ("password", $this->password, $time, "/", $domain, true, false);
	setcookie ("email", $this->email, $time, "/", $domain, true, false);
	setcookie ("user_access", $this->user_access, $time, "/", $domain, true, false);	
}

 

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php  on line 185

 

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 186

 

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 187

 

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 188

 

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 189

 

do you know any reason why this is happening please?

You should not be using cookies to store user data such as usernames / passwords. Cookies are stored on a users pc therefore any malicious software could scrape cookie data. There is no reason to keep a users password persistent throughout a login session. Once a user has entered their login credentials succesfully all you require is to set a session value that identifies that the user is logged in. i.e

<?php
// validate login data: login.php
session_start();
if($allLoginDetailsAreOK) {
$_SESSION['loggedIn'] = true;
header("Location:my-account.php");
exit();
}
?>

<?php
// my-account.php
session_start();
if(!$_SESSION['loggedIn']) {
header("Location:login.php");
exit();
}
?>

All pages that require the user to be logged in must check for this value. if it does not exist, redirect the user to the login screen.

Cookies are used to remember a user so they do not have to keep logging in each time they visit the site (just as this site does). Usually on a login form you may see a checkbox that says, 'remember me'. Again you would not store private user data in this cookie. A unique key is normally stored in the cookie to identify a user to the website.

 

hat is the function session_id(); used for

This function returns the users session key. It can be used if you are using a database as a session handler, or you are recording the users currently on your website. It can also be used to restore a users session if lets say they navigate to another website on your server and you want to restore the users session data from the previous website. i.e

<?php
session_id($_POST['key']);
session_start();
?>

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 189

do you know any reason why this is happening please?

This is because you are outputting data prior to sending a header. Headers must be sent prior to any output. i.e

<?php
// will throw error
print "hello";
header("Location:page2.php");
exit();

// corrected
if($_GET['proceed']) {
header("Location:page2.php");
exit();
}
print "hello";
?>

well thanks for your replay...but regarding using a session instead of a cookie...the problem i see with that is that the session doesnt have a life like a cookie

As I said, you use cookies if you want to remember a user. The cookie value will initiate a session. Data persists throughout the lifetime of the session whilst the user is on a site. You would not pass session data through a cookie. For example, if your website takes payments from users, data containing the users credit card details may need to persist through multiple pages. This sort of data would never be stored in a cookie. It would persist in a session and destroyed after it is finished with.

 

You do not use one or the other, you can use a combination of both. But in terms of identifying that a user is logged into a site this is done through a session variable. All your cookie does is reinstate a session if a user was lets say to close their browser and then come back to the site later (as long as the cookie has not expired). If the user doesn't want to be remebered by the site at all (so they login each time they visit) you would not set any cookie.

sessions have unlimited life on my server hehe..

 

you have to understand sessions use cookies too!

 

sessions save data on the webserver.. and make a unique phptoken hash which is stored in your cookies..

 

everytime you logged in, it checks if a cookie matches the same hash meaning if someone stole your cookie then can login your account from their computer regardless if you use cookie method or session method..

 

but with cookie method they can get your password.

everytime you logged in, it checks if a cookie matches the same hash meaning if someone stole your cookie then can login your account from their computer regardless if you use cookie method or session method..

This is incorrect. Sessions should expire and be cleaned up by php's garbage collection routine. Cookies do not get stolen as such, it is known as session hijacking where packets are sniffed between requests and the session id is displayed within a GET method. A hijacker would have to intercept packets whilst a user is making requests. An old session cookie should not authenticate.

so basically you saying if the user wants thier details to be remembers we will set a cookie with the user id so that when the user comes back to the website there will be a live cookie with the user id and that will mean the user is suppose to be logged in?

 

sorry i just wanna makesure i understand

Yes but you wouldn't use the users id as that woul be insecure. I could change the value in my cookie easily to gain access to another users account. What is better is if you generate a key for that user that is stored in your database aswell as the cookie. If the user is inactive for the lifetime of the cookie then destroy the key from your table. You could also change the key each time the user revisits.

  • 2 weeks later...

well thanks you all for your advise it been very helpful...and im thinking i going to have a column in my database storing the session id and having a cookie storing the same id if the user wants to be remembered...and that will be my key  :D

 

thank you again

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.