NOT NULLs and Nutter Butters

[Shecky]

Preface: Smart people, try not to make fun of me too much.

That said, I'm developing a little online community site, and i need to use a cookie-based user management system ( server side sessions arent gunna cut it for what i have in mind )

I know that cookies and 'security' dont exactly go hand-in-hand, but i also know a lot of you have had experience with them.

any advice this forum could offer on the topic of user id cookies and security matters would be appreciated. A simple little block of code for after-form-post excecution wouldnt hurt either. Cookie expiration time updating on each and every page isnt an issue for me... i just need an 'on until logout requested' cookie.
_---._
\||/
\||/
\||/

[firepages]

hate to be contrary but ...

use sessions anyway, they are slightly more secure (sort of) , they will work regardless of whether the user has cookies disabled or not and will in fact use cookies if possible anyway.
Also session data is instant, cookies require a page-refresh before they are set.

Also session data is not stored in the clientside session cookie rather on the server, depending how secure your server is thats another security +.

Whist sessions are registered until the user logs-out, you can extend the life of a session cookie if you wish to allow them to login automatically later.

eitherway..
I would suggest not storing passwords in cookies , if you do MD5() them at least.



PS :: I know thats not the answer you were looking for

[Shecky]

do i have to pass the session information in the header from one page to the next for every page to maintain a session? I believed this was the only way.

I know it sounds funny but i need to get session information from the user in pages that wont be openned by the user, or any function on the page. The user will login at the main page and then another program will be openning pages from on the site... so it makes it impossible to control information passed through the header.

if you made any sense out of that, you win a puppy.

-Shecky

[mordred]

I did not quite understand the part with the program that starts opening pages, but if you can't rely on information sent via HTTP headers, then are cookies not an option for you, as they are sent via the header information.

With sessions you can retrieve the current session id with session_id() and later reinitialize a session with the same function (session_id()), only that now you pass a single parameter that contains the id of the session you want to get. But that requires passing or storing the session id somewhere, be it a file, database, shared memory... etc.

Ok, you could store cookie information the same way and have a script read it out later in similar fashion. I think the answer depends on your specific setup, perhaps you provide us with a little bit more information.

[Shecky]

it planned to be a service tied into AOL instant messenger through the AIM-expressions (aim 5.0+) system. Content to appear in a regular browsers window and in the IM-side window.

The IM side window is a IE 4.0+ window attached to the left of the IM window. When a user downloads my 'aim-expression' plugin, this IM side window automatically displays a specific page or image of my choosing (a standard generic url stored in the plug in data.)

The page displayed in that IM side window would have to be able to recognize a logged in user and gather info, either from MySQL or via cookie, which pretains to a specific users preferences, which in turn effect the displayed content of this IM side window.

What this means, basically, is that i need a way automatically have the users session be resumed once one of these IM-side windows pop up.

I'm sure i lost just about everyone by now. If you made it this far you may as well take a victory lap.



if someone is feelin all mother theresa'ish, i 'd love to chat with anyone willing to talk at some length about it. Its a pretty harsh initiation for my first php/mysql project... i just need i push-start i think. thanks all

AIM: T3kNoSQuiD