[SOLVED] Sessions and/or Cookies

[xProteuSx]

I am a newbie, writing his first script (a login script using MySQL) and I would just like to clarify something, because I have been wrong all too often before.  If I would like to grant a user access to the site based on his or her 'security level' I can use sessions.  But if I would like the user to be able to close his browser and re-open the page again later and still be logged in, that would require a cookie, correct?  So in essence, it would be best to do both, wouldn't it?  Are most programmers using both to accomplish these two tasks simultaneously, or am I missing something?

[roopurt18]

AFAIK, you are correct.

You use sessions to transmit data from page to page [b]while[/b] the user is browsing your site.

You use cookies for any information you want to persist between browser instances.

Also, keep in mind it is not enough to store only the user's name in the cookie to grant them automatic login on their next visit to the site; I've seen that method before and it is [b]highly insecure[/b].

[xProteuSx]

So, roopurt18, what do you suggest?  I would hate to use the IP as part of the cookie/session, because I want to make my site convenient even for those with a dynamic IP.  It seems that you  have come across this dilemma, so I'm wondering if you have a suggestion you could send my way.  I am new to this coding thing, so I am trying to absorb a little knowledge from all sources!  Thanks in advance.

[roopurt18]

You really only need to store a single value in the $_SESSION global, and that is the username after they have logged in.

I.E., for guests your $_SESSION will look like this:
Array
  (
  )

For logged in users, your $_SESSION will look like:
Array
  (
    [Username] => 'TheirUserName'
  )

From that alone you can look up everything else you need about the user in the DB as they access pages.

As for the cookie to provide an auto-login for return visitors, you will need to store at least their username.  However it's not enough to store just their username as anyone could duplicate the cookie on their machine with a different user's name and log in as that person.  In addition to the username, you should store a unique key in the cookie as well and also store that key for the user's record in the database.

When anyone visits the site, check for a username in the cookie.  If it exists, check the unique key in the cookie to see if it matches what's in the database for that user.  If it all checks out, auto-log them in; otherwise they're an imposter.

[xProteuSx]

Auto generated user keys ... that's a great idea.  I have a few days of other work ahead of me, but I am going to dedicate this upcoming week to sessions and cookies.  Once I get the figured out I think I will have learned enough to complete a rough version of my login script.  Thanks for all the help.

[roopurt18]

You'll want to place a uniqueness constraint on the key column in the table.  Any time you generate a key and it fails to insert into the DB, you'll know you need to regenerate another key.