Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts

    Increase session lifetime

    Hello. I'm using a web hosting service from 000 web host.

    There is an .htaccess file in my public folder which I've amended to:

    Code:
    # Do not remove this line, otherwise mod_rewrite rules will stop working
    RewriteBase /
    
    php_value session.cookie_lifetime 86400
    php_value session.gc_maxlifetime 86400
    in an attempt to increase the lifetime of the session cookie to 24 hours.

    It seems to be ignoring this setting and the session expires when closing the browser. How can I correct this please? Are there other settings that I need?

    Andy
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #2
    Regular Coder Arcticwarrio's Avatar
    Join Date
    May 2012
    Location
    UK
    Posts
    721
    Thanks
    20
    Thanked 84 Times in 84 Posts
    session is just that, Session.

    when you close the browser the session is over, you will need to use cookies instead

  • #3
    Regular Coder Arcticwarrio's Avatar
    Join Date
    May 2012
    Location
    UK
    Posts
    721
    Thanks
    20
    Thanked 84 Times in 84 Posts
    PHP Code:
    <?php
    $value 
    'something from somewhere';

    setcookie("TestCookie"$value);
    setcookie("TestCookie"$valuetime()+3600);  /* expire in 1 hour */
    setcookie("TestCookie"$valuetime()+3600"/~rasmus/""example.com"1);
    ?>
    PHP Code:
    <?php
    // Print an individual cookie
    echo $_COOKIE["TestCookie"];
    echo 
    $HTTP_COOKIE_VARS["TestCookie"];

    // Another way to debug/test is to view all cookies
    print_r($_COOKIE);
    ?>

  • #4
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    Thank you. I've obviously misunderstood, particularly as the session data appeared to persist when testing locally.

    I'll need to store something in a cookie to keep the user logged-in, but I don't want to store their username or password directly. How do sites generally encode/hash these details?
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #5
    Regular Coder Arcticwarrio's Avatar
    Join Date
    May 2012
    Location
    UK
    Posts
    721
    Thanks
    20
    Thanked 84 Times in 84 Posts
    you would store the password in the database as a hash eg, md5 or sha1

    something like:

    PHP Code:
    //create new user
    $username mysql_real_escape_string($_POST['Username']);
    $password mysql_real_escape_string(md5($_POST['Password']));

    $query query("INSERT INTO users (Username, Password)    VALUES ($username,$password)"); 
    PHP Code:
    //login

    $username mysql_real_escape_string($_POST['Username']);
    $password mysql_real_escape_string(md5($_POST['Password']));

    $query query("SELECT * FROM users WHERE `Username` = $username HAVING `Password` = $password");
    if (
    mysql_num_rows($query) == 1) {
                    
    setcookie("online""true" time()+3600);
                } 
    Last edited by Arcticwarrio; 08-01-2012 at 01:29 PM.

  • #6
    New Coder
    Join Date
    Sep 2011
    Posts
    80
    Thanks
    0
    Thanked 13 Times in 12 Posts
    Generate a random string/hash and associate it with a user ID in your database, save that as your cookie. You don't want to save any identifiable information in the cookie what so ever that can be spoofed.

    You could also do things like store the browser and version used and invalidate the cookie/session if this changes if you want to add extra layers of security. It can't be relied on but it's an indicator that someone has stolen the cookie.

  • #7
    Regular Coder Arcticwarrio's Avatar
    Join Date
    May 2012
    Location
    UK
    Posts
    721
    Thanks
    20
    Thanked 84 Times in 84 Posts
    i have a function for login if your interested:

    PHP Code:
    function ProcessLogin($Username$Password) {
            if ((
    $Username == "") || (!isset($Username))) {
                return 
    "No username was supplied.";
                exit;
            } else {
    $Username strip_tags($Username);}
            if ((
    $Password == "") || (!isset($Password))) {
                return 
    "No password was supplied.";
                exit;
            } else {
    $Password md5(strip_tags($Password));}
                
    $results Q("SELECT * FROM `user__users` WHERE `UserCode` = '$Username'");

            
    // If that Username dosnt exsist
                
    if (mysql_num_rows($results) == 0) {
                    return 
    "Unknown User";
                    exit;
                }
            
    // Give them 3 chances. It says 2 below because we need to concider 0!
            // Otherwise see how many Strikes are next to the Username
                
    $row mysql_fetch_array($results);
                if (
    $row['UserStrikes'] >= 2) {
                    return 
    "You have reached the maximum amount of failed login attempts. Please contact an administrator.";
                    exit;
                }
                
            
    // If there are less than 3 then see if the passwords match
                
    if ($Password != $row['UserPass']) {
                
    // Complete the query
                    
    $results Q("UPDATE `user__users` SET `UserStrikes` = '".($row['UserStrikes'] + 1)."' WHERE `user__users`.`UserID` = " $row['UserID']);
                    if ((
    - ($row['UserStrikes'])) != 1) {
                        return 
    "Your Password is incorrect. Please try again. You have ". ($row['UserStrikes']) ." attempts to login.";
                        exit;
                    } else {
                        return 
    "Your Password is incorrect. Please try again. You have ". ($row['UserStrikes']) ." more attempt to login.";
                        exit;
                    }
                }
            
    // If the Strikes is more than 0 then reset them to 0
                
    if ($row['UserStrikes'] > 0) {
                 
    //Complete the query
                    
    $results Q("UPDATE `user__users` SET `UserStrikes` = '0' WHERE `user__users`.`UserID` = " $row['UserID']);
                }
                  
          
    // Put the details in the session 
            
    $results Q("UPDATE `user__users` SET UserIP = '".$_SERVER['REMOTE_ADDR']."' WHERE `UserID` = " $row['UserID']);
                
    $_SESSION['Username'] = $Username;
                
    $_SESSION['UserID'] = $row['UserID'];
                
    $_SESSION['name'] = $row['UserName'];
                
    $_SESSION['access_level'] = $row['UserLevel'];
                
    $_SESSION['logged_in'] = true;
                
                return 
    "Logged in";

    then have your login form point to something like:

    PHP Code:
    $LoginResult ProcessLogin($_POST['Username'], $_POST['Password']); 

  • Users who have thanked Arcticwarrio for this post:

    AndrewGSW (08-01-2012)

  • #8
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    Thank you both. I have a bit of study to do
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #9
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    I'm almost there but need a little guidance with the following.

    I think there is a conflict between the way my variable identifier is being stored and retrieved:

    PHP Code:
    // storage
    $identifier md5($salt md5($username $salt));
    setcookie('auth'"$identifier:$token"$timeout);
    $q "UPDATE users SET identifier='$identifier', token='$token', " 
                    
    "timeout=$timeout WHERE user_id=$uid LIMIT 1";

    // retrieval
    list($identifier$token) = explode(':'$_COOKIE['auth']);
    $clean['identifier'] = $identifier;
    $mysql['identifier'] = mysqli_real_escape_string($dbc$clean['identifier']);
    $sql "SELECT username, email, token, timeout FROM users WHERE " 
            
    "identifier = '{$mysql['identifier']}'";

    if (
    $clean['identifier'] != md5($salt md5($record['username'] . $salt))) { 
    [I've extracted just the relevant code for the moment.]

    I believe I need to modify the second sql statement..? Andy.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #10
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    Scrub that - found it!
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •