Destramic Posted June 6, 2010 Share Posted June 6, 2010 hey guys im the middle of making a login script but i have a few questions about cookies and sessions if anyone can help please 1. is the best way to use uset() the session/cookie? 2. also when set_cookie(); the parameter path what should this be set at?...im a bit confused 3. do i need to set any headers also? other than setting the header location? thanks destramic Quote Link to comment Share on other sites More sharing options...
GetPutDelete Posted June 6, 2010 Share Posted June 6, 2010 1. Do you mean unset? 2. If you set it to '/' then it will be available across your whole site (I'd recommend this). 3. No, but with sessions you need to use session_start() at the top of the page. Quote Link to comment Share on other sites More sharing options...
Destramic Posted June 6, 2010 Author Share Posted June 6, 2010 Yes I mean unset is this the best way to destroy the sessions and cookies?...and thank you for your reply Quote Link to comment Share on other sites More sharing options...
GetPutDelete Posted June 6, 2010 Share Posted June 6, 2010 Ok, unset will only work with sessions, you can either unset an individual session variable or clear the whole lot by using session_destroy(), to clear a cookie you need to set the cookie to expire in the past. Quote Link to comment Share on other sites More sharing options...
Destramic Posted June 7, 2010 Author Share Posted June 7, 2010 ok thanks that was a great help...one last thing what is the function session_id(); used for...i know it returns a unique code...but how and where is the function used? Quote Link to comment Share on other sites More sharing options...
GetPutDelete Posted June 7, 2010 Share Posted June 7, 2010 You're right it gets a unique hash for the user, it can be used for whatever you like (like identifying a user). But I always prefer to create my own hashes, to do this I usually hash a combination of the user id (or ip address), microtime and a random number. for example... <?php $hash =md5($user_id . microtime() . mt_rand(1, 99999)); ?> Quote Link to comment Share on other sites More sharing options...
Destramic Posted June 8, 2010 Author Share Posted June 8, 2010 thanks...well ive almost finished my script...but im having a problem when loading this script public function set_cookies() { $time = time() + 3600 * 24 * $this->cookie_expiry_day; $domain = $_SERVER['SERVER_ADDR']; setcookie ("user_id", $this->user_id, $time, "/", $domain, true, false); setcookie ("username", $this->username, $time, "/", $domain, true, false); setcookie ("password", $this->password, $time, "/", $domain, true, false); setcookie ("email", $this->email, $time, "/", $domain, true, false); setcookie ("user_access", $this->user_access, $time, "/", $domain, true, false); } Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 185 Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 186 Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 187 Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 188 Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 189 do you know any reason why this is happening please? Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted June 8, 2010 Share Posted June 8, 2010 You should not be using cookies to store user data such as usernames / passwords. Cookies are stored on a users pc therefore any malicious software could scrape cookie data. There is no reason to keep a users password persistent throughout a login session. Once a user has entered their login credentials succesfully all you require is to set a session value that identifies that the user is logged in. i.e <?php // validate login data: login.php session_start(); if($allLoginDetailsAreOK) { $_SESSION['loggedIn'] = true; header("Location:my-account.php"); exit(); } ?> <?php // my-account.php session_start(); if(!$_SESSION['loggedIn']) { header("Location:login.php"); exit(); } ?> All pages that require the user to be logged in must check for this value. if it does not exist, redirect the user to the login screen. Cookies are used to remember a user so they do not have to keep logging in each time they visit the site (just as this site does). Usually on a login form you may see a checkbox that says, 'remember me'. Again you would not store private user data in this cookie. A unique key is normally stored in the cookie to identify a user to the website. hat is the function session_id(); used for This function returns the users session key. It can be used if you are using a database as a session handler, or you are recording the users currently on your website. It can also be used to restore a users session if lets say they navigate to another website on your server and you want to restore the users session data from the previous website. i.e <?php session_id($_POST['key']); session_start(); ?> Warning: Cannot modify header information - headers already sent by (output started at C:\www\auth.php:15) in C:\www\classes\Authentication.php on line 189 do you know any reason why this is happening please? This is because you are outputting data prior to sending a header. Headers must be sent prior to any output. i.e <?php // will throw error print "hello"; header("Location:page2.php"); exit(); // corrected if($_GET['proceed']) { header("Location:page2.php"); exit(); } print "hello"; ?> Quote Link to comment Share on other sites More sharing options...
Destramic Posted June 8, 2010 Author Share Posted June 8, 2010 ... Quote Link to comment Share on other sites More sharing options...
Destramic Posted June 8, 2010 Author Share Posted June 8, 2010 well thanks for your replay...but regarding using a session instead of a cookie...the problem i see with that is that the session doesnt have a life like a cookie Quote Link to comment Share on other sites More sharing options...
satya61229 Posted June 8, 2010 Share Posted June 8, 2010 session_id can be useful to know is session has started or not: http://www.satya-weblog.com/2009/10/php-session-is-session-set.html Quote Link to comment Share on other sites More sharing options...
GoneNowBye Posted June 8, 2010 Share Posted June 8, 2010 my two cence as it were no sessions only cookies! set_cookie("name",$key,7200); name, key, time till expiry works like charm i tend to use a hash of some sort as the key, not a user id or something stupidly insecure, Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted June 8, 2010 Share Posted June 8, 2010 well thanks for your replay...but regarding using a session instead of a cookie...the problem i see with that is that the session doesnt have a life like a cookie As I said, you use cookies if you want to remember a user. The cookie value will initiate a session. Data persists throughout the lifetime of the session whilst the user is on a site. You would not pass session data through a cookie. For example, if your website takes payments from users, data containing the users credit card details may need to persist through multiple pages. This sort of data would never be stored in a cookie. It would persist in a session and destroyed after it is finished with. You do not use one or the other, you can use a combination of both. But in terms of identifying that a user is logged into a site this is done through a session variable. All your cookie does is reinstate a session if a user was lets say to close their browser and then come back to the site later (as long as the cookie has not expired). If the user doesn't want to be remebered by the site at all (so they login each time they visit) you would not set any cookie. Quote Link to comment Share on other sites More sharing options...
sspoke Posted June 8, 2010 Share Posted June 8, 2010 sessions have unlimited life on my server hehe.. you have to understand sessions use cookies too! sessions save data on the webserver.. and make a unique phptoken hash which is stored in your cookies.. everytime you logged in, it checks if a cookie matches the same hash meaning if someone stole your cookie then can login your account from their computer regardless if you use cookie method or session method.. but with cookie method they can get your password. Quote Link to comment Share on other sites More sharing options...
GoneNowBye Posted June 8, 2010 Share Posted June 8, 2010 not if your not stupid Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted June 8, 2010 Share Posted June 8, 2010 everytime you logged in, it checks if a cookie matches the same hash meaning if someone stole your cookie then can login your account from their computer regardless if you use cookie method or session method.. This is incorrect. Sessions should expire and be cleaned up by php's garbage collection routine. Cookies do not get stolen as such, it is known as session hijacking where packets are sniffed between requests and the session id is displayed within a GET method. A hijacker would have to intercept packets whilst a user is making requests. An old session cookie should not authenticate. Quote Link to comment Share on other sites More sharing options...
Destramic Posted June 11, 2010 Author Share Posted June 11, 2010 so basically you saying if the user wants thier details to be remembers we will set a cookie with the user id so that when the user comes back to the website there will be a live cookie with the user id and that will mean the user is suppose to be logged in? sorry i just wanna makesure i understand Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted June 11, 2010 Share Posted June 11, 2010 Yes but you wouldn't use the users id as that woul be insecure. I could change the value in my cookie easily to gain access to another users account. What is better is if you generate a key for that user that is stored in your database aswell as the cookie. If the user is inactive for the lifetime of the cookie then destroy the key from your table. You could also change the key each time the user revisits. Quote Link to comment Share on other sites More sharing options...
Destramic Posted June 20, 2010 Author Share Posted June 20, 2010 well thanks you all for your advise it been very helpful...and im thinking i going to have a column in my database storing the session id and having a cookie storing the same id if the user wants to be remembered...and that will be my key thank you again Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.