Basic question...

[jamesjmann]

Does it matter where you start your session at? Does it have to be before the <!doctype> tag or can it go anywhere in the page?

[jamesjmann]

I have another question...

 

Is it possible to set a session time limit? Because I have it set up on my site where when a user logs in and clicks "remember me", a cookie is a created for a set amount of time. the user is permitted to specify how long in "days", but someone wrote on a website that they use a session for that. it would be especially useful for keeping someone logged in even if they close the browser or shut off their computer.

[DavidAM]

First Question: The session_start() call must occur before ANY output is sent to the browser. Since the DOCTYPE is output to the browser, the call has to occur BEFORE the DOCTYPE is sent.

 

Second Question: You can set the session time limit, but not the way you want. Once the user closes the browser, the session cookie is destroyed. So, you cannot EXTEND a session across browser "sessions".

[jamesjmann]

First Question: The session_start() call must occur before ANY output is sent to the browser. Since the DOCTYPE is output to the browser, the call has to occur BEFORE the DOCTYPE is sent.

 

Second Question: You can set the session time limit, but not the way you want. Once the user closes the browser, the session cookie is destroyed. So, you cannot EXTEND a session across browser "sessions".

 

how does facebook keep people logged in when they close their browser, then? i use cookies, and all it does it remember their username and password and echo it into the forms (not a php echo, but you know what i mean lol)

[JohnOP]

Sessions will expire when you close the browser, cookies wont.

[DavidAM]

First, you should not store the user's password in a cookie. Cookies are not secure, so someone can either read them from the computer or intercept them when sent to the site. Since many users use a common password for multiple sites, a password stored in a cookie could compromise the user on more than one site (not just your).

 

As to staying logged in, when a user comes to your site, the cookies are sent. You can decide in the PHP script what to do with those cookies. If the cookie has the appropriate information (appropriate to your script, that is), you can decide that the user is logged in and not bother them with the login page.

[jamesjmann]

First, you should not store the user's password in a cookie. Cookies are not secure, so someone can either read them from the computer or intercept them when sent to the site. Since many users use a common password for multiple sites, a password stored in a cookie could compromise the user on more than one site (not just your).

 

As to staying logged in, when a user comes to your site, the cookies are sent. You can decide in the PHP script what to do with those cookies. If the cookie has the appropriate information (appropriate to your script, that is), you can decide that the user is logged in and not bother them with the login page.

 

Ohhhhhhhhhhhhhhhhhhhhhhhhh. I totally get it now. Seems like all I have to do is tweak my login script just a teensy bit. lol.

 

I would still like to address an issue though. You said I shouldn't store the user's password in a cookie, but that's exactly what sites like Facebook DOES. I have often closed my browser, and as soon as I reopen it, I'm logged out, but both forms contain information, and all I have to do is click the "login" button to login.

 

So...if Facebook does it, why can't I?

[MasterACE14]

this is where the database gets involved.

[jamesjmann]

this is where the database gets involved.

 

What does a database have anything to do with remembering somebody? And I was under the impression we were discussing "cookies", not "databases".

[DavidAM]

Facebook does not actually store your password or your login name in a cookie. Have a look at the cookie and you will see. The way this is done - well, the way I do it and I suspect they do it (since I have not seen their code) - is to store a unique ID in the cookie. This unique id is also stored in the database. When you arrive at the site, and they receive your cookie, they lookup the unique id from the cookie and retrieve your login name from the database.

[jamesjmann]

Facebook does not actually store your password or your login name in a cookie. Have a look at the cookie and you will see. The way this is done - well, the way I do it and I suspect they do it (since I have not seen their code) - is to store a unique ID in the cookie. This unique id is also stored in the database. When you arrive at the site, and they receive your cookie, they lookup the unique id from the cookie and retrieve your login name from the database.

 

That's extremely complicated...how do you know this?

[DavidAM]

I looked at all my Facebook cookies, and my phpFreaks cookies. And I don't see my login name or my password in there anywhere.  I used to store the user's Login Name in a cookie and use that for authentication. But after reading another thread here on phpFreaks, I switched to using a unique id.

 

As I said, I don't know exactly how Facebook does it - I've never seen the code behind their pages.

 

It is not really that complicated. You design it once and code it once as a function or part of a class, and then you just call the function/method from every page. In my case it is part of a class I use to manage SESSION data.