...

View Full Version : Sessions and cookies in login



graham23s
12-03-2008, 09:11 PM
Hi Guys,

My login system uses sessions toi store the users id and username (Just use id for getting info from mysql etc), i'm trying to figure out, if they tick the rememeber me button on the login form, how i remember them lol i set the cookie fine but when testing the page is never remembered:

code:



<?php
ob_start();
session_start();
if($_SESSION['logged_in'] != 'yes') {
header("Location: login.php");
}

// CHECK TO SEE IF THE REMEMBER ME WAS TICKED
if (isset($_COOKIE['customers_cookie_id']))
{
// VARS
$varCookie = $_COOKIE['customers_cookie_id'];
}

// VARS
$var_loggedinuserid = $_SESSION['id'];
$var_loggedinuserfirstname = $_SESSION['first_name'];
?>


thats's the code thats at the top of my protected pages! if i echo out $varCookie i get 6 which is my ID!

so i...

1) tick the remember me button
2) set a cookie if its ticked (with the users id)

then i'm stuped lol if im using sessions how could i use cookies kinda thing

any advice would be great

cheers

Graham

JohnDubya
12-03-2008, 11:01 PM
When you check to see if the cookie isset, you can set the id session variable with it:



if (isset($_COOKIE['customers_cookie_id'])) {
$_SESSION['id'] = $_COOKIE['customers_cookie_id'];
}


Does that answer your question?

Fou-Lu
12-03-2008, 11:05 PM
Just don't think of cookies and sessions being the same. Sessions will always try to set a cookie on the client to remember the sid. It likes cookies more than it likes GET.

Anyway, I assume this is for if they close their browser correct. In order to do this, you'll need to set a cookie for both the username and the password of the user (you are encrypting you're passwords right?). This is because you'll need to use cookies to authenticate you're users, so you'd try something like this:


<?php
session_start();
$bIsLogged = false;
if (!isset($_SESSION['loggedin']))
{
// Not yet logged in, first see if we have some cookies:
if (isset($_COOKIE['username']) && isset($_COOKIE['password']))
{
// We have something, lets validate them:
// This is where you'd check you're storage and compare them with
// the cookie values. If they match, we have the same user
if ($_COOKIE['username'] == $validUser && $_COOKIE['password'] == $validPass)
{
$_SESSION['loggedin'] = true;
$bIsLogged = true;
}
}
}
if (!$bIsLogged)
{
// Didn't validate
header('Location: login.php');
}


Do you understand what I'm getting at.
Its straight forward, just follow this logic:
If no session
- If cookies
- Validate cookies
- Set logged in
else
- Request login


The big one is that all you're cookies should care about is the username and password. You do require both in order to confirm a validation (assuming you have usernames and passwords). Make sure passwords are encrypted. If they are not encrypted in you're database (they should be but...), make sure you're encrypting it before setting the cookie (md5 or sha1 or whatever), and when you do the validation encrypt the valid password for comparison.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum