sessions and cookies

Destramic · June 6, 2010

hey guys im the middle of making a login script but i have a few questions about cookies and sessions if anyone can help please

1. is the best way to use uset() the session/cookie?

2. also when set_cookie(); the parameter path what should this be set at?...im a bit confused

3. do i need to set any headers also? other than setting the header location?

thanks destramic

GetPutDelete · June 6, 2010

1. Do you mean unset?

2. If you set it to '/' then it will be available across your whole site (I'd recommend this).

3. No, but with sessions you need to use session_start() at the top of the page.

Destramic · June 6, 2010

Yes I mean unset is this the best way to destroy the sessions and cookies?...and thank you for your reply

GetPutDelete · June 6, 2010

Ok, unset will only work with sessions, you can either unset an individual session variable or clear the whole lot by using session_destroy(), to clear a cookie you need to set the cookie to expire in the past.

Destramic · June 7, 2010

ok thanks that was a great help...one last thing what is the function session_id(); used for...i know it returns a unique code...but how and where is the function used?

GetPutDelete · June 7, 2010

You're right it gets a unique hash for the user, it can be used for whatever you like (like identifying a user). But I always prefer to create my own hashes, to do this I usually hash a combination of the user id (or ip address), microtime and a random number. for example...

<?php

$hash =md5($user_id . microtime() . mt_rand(1, 99999));

?>

Destramic · June 8, 2010

thanks...well ive almost finished my script...but im having a problem when loading this script

	public function set_cookies()
{
	$time   = time() + 3600 * 24 * $this->cookie_expiry_day;
	$domain = $_SERVER['SERVER_ADDR'];

	setcookie ("user_id", $this->user_id, $time, "/", $domain, true, false);
	setcookie ("username", $this->username, $time, "/", $domain, true, false);
	setcookie ("password", $this->password, $time, "/", $domain, true, false);
	setcookie ("email", $this->email, $time, "/", $domain, true, false);
	setcookie ("user_access", $this->user_access, $time, "/", $domain, true, false);	
}

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 185

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 186

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 187

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 188

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 189

do you know any reason why this is happening please?

JonnoTheDev · June 8, 2010

You should not be using cookies to store user data such as usernames / passwords. Cookies are stored on a users pc therefore any malicious software could scrape cookie data. There is no reason to keep a users password persistent throughout a login session. Once a user has entered their login credentials succesfully all you require is to set a session value that identifies that the user is logged in. i.e

<?php
// validate login data: login.php
session_start();
if($allLoginDetailsAreOK) {
$_SESSION['loggedIn'] = true;
header("Location:my-account.php");
exit();
}
?>

<?php
// my-account.php
session_start();
if(!$_SESSION['loggedIn']) {
header("Location:login.php");
exit();
}
?>

All pages that require the user to be logged in must check for this value. if it does not exist, redirect the user to the login screen.

Cookies are used to remember a user so they do not have to keep logging in each time they visit the site (just as this site does). Usually on a login form you may see a checkbox that says, 'remember me'. Again you would not store private user data in this cookie. A unique key is normally stored in the cookie to identify a user to the website.

hat is the function session_id(); used for

This function returns the users session key. It can be used if you are using a database as a session handler, or you are recording the users currently on your website. It can also be used to restore a users session if lets say they navigate to another website on your server and you want to restore the users session data from the previous website. i.e

<?php
session_id($_POST['key']);
session_start();
?>

Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 189
do you know any reason why this is happening please?

This is because you are outputting data prior to sending a header. Headers must be sent prior to any output. i.e

<?php
// will throw error
print "hello";
header("Location:page2.php");
exit();

// corrected
if($_GET['proceed']) {
header("Location:page2.php");
exit();
}
print "hello";
?>

Destramic · June 8, 2010

...

Destramic · June 8, 2010

well thanks for your replay...but regarding using a session instead of a cookie...the problem i see with that is that the session doesnt have a life like a cookie

satya61229 · June 8, 2010

session_id can be useful to know is session has started or not:

http://www.satya-weblog.com/2009/10/php-session-is-session-set.html

GoneNowBye · June 8, 2010

my two cence as it were

no sessions only cookies!

set_cookie("name",$key,7200); name, key, time till expiry works like charm

i tend to use a hash of some sort as the key, not a user id or something stupidly insecure,

JonnoTheDev · June 8, 2010

well thanks for your replay...but regarding using a session instead of a cookie...the problem i see with that is that the session doesnt have a life like a cookie

As I said, you use cookies if you want to remember a user. The cookie value will initiate a session. Data persists throughout the lifetime of the session whilst the user is on a site. You would not pass session data through a cookie. For example, if your website takes payments from users, data containing the users credit card details may need to persist through multiple pages. This sort of data would never be stored in a cookie. It would persist in a session and destroyed after it is finished with.

You do not use one or the other, you can use a combination of both. But in terms of identifying that a user is logged into a site this is done through a session variable. All your cookie does is reinstate a session if a user was lets say to close their browser and then come back to the site later (as long as the cookie has not expired). If the user doesn't want to be remebered by the site at all (so they login each time they visit) you would not set any cookie.

sspoke · June 8, 2010

sessions have unlimited life on my server hehe..

you have to understand sessions use cookies too!

sessions save data on the webserver.. and make a unique phptoken hash which is stored in your cookies..

everytime you logged in, it checks if a cookie matches the same hash meaning if someone stole your cookie then can login your account from their computer regardless if you use cookie method or session method..

but with cookie method they can get your password.

GoneNowBye · June 8, 2010

not if your not stupid

JonnoTheDev · June 8, 2010

everytime you logged in, it checks if a cookie matches the same hash meaning if someone stole your cookie then can login your account from their computer regardless if you use cookie method or session method..

This is incorrect. Sessions should expire and be cleaned up by php's garbage collection routine. Cookies do not get stolen as such, it is known as session hijacking where packets are sniffed between requests and the session id is displayed within a GET method. A hijacker would have to intercept packets whilst a user is making requests. An old session cookie should not authenticate.

Destramic · June 11, 2010

so basically you saying if the user wants thier details to be remembers we will set a cookie with the user id so that when the user comes back to the website there will be a live cookie with the user id and that will mean the user is suppose to be logged in?

sorry i just wanna makesure i understand

JonnoTheDev · June 11, 2010

Yes but you wouldn't use the users id as that woul be insecure. I could change the value in my cookie easily to gain access to another users account. What is better is if you generate a key for that user that is stored in your database aswell as the cookie. If the user is inactive for the lifetime of the cookie then destroy the key from your table. You could also change the key each time the user revisits.

Destramic · June 20, 2010

well thanks you all for your advise it been very helpful...and im thinking i going to have a column in my database storing the session id and having a cookie storing the same id if the user wants to be remembered...and that will be my key

thank you again

Sign In

sessions and cookies

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information