Cookies and session

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Cookies and session

Post by JKM »

I'm having some $_SESSION['user_id'] etc in my code, so if I want to use cookies, should I do it like this, then?

Code: Select all

<?php
session_start();
if(!$_SESSION['user']) {
    if(isset($_COOKIE['user'])) {
        /* some security checks */
        /* mysql query */
        $_SESSION['user_id'] = $fetch['user_id'];
        $_SESSION['user_access'] = $fetch['user_access'];
    } else {
        header("Location: login.php");
        die();
    }
}
/* more code */
?>
... or is there a better way to do it?
Jahren
Forum Newbie
Posts: 8
Joined: Tue Dec 02, 2008 4:22 pm

Re: Cookies and session

Post by Jahren »

have you tested it?
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Cookies and session

Post by JKM »

I'm just asking for the theory. If there is a better theory, I would use that instead..
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Cookies and session

Post by jackpf »

I don't understand - what's the point in storing the userid in a session and a cookie?
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Cookies and session

Post by JKM »

if($_SESSION['user_id'] != $_GET['uid']) {
header("Location index.php");
}

Why shouldn't I store the userid in a session?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Cookies and session

Post by jackpf »

I didn't say that - I'm just asking why you're saving the userid twice.
JKM wrote:if($_SESSION['user_id'] != $_GET['uid']) {
header("Location index.php");
}
And I don't see the point in that either. All that'll do is prevent people sharing links.
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Cookies and session

Post by JKM »

Hmm, should I do it like this, then?

Code: Select all

<?php
session_start();
if(!$_SESSION['user']) {
    if(isset($_COOKIE['user'])) {
        /* some security checks */
        /* mysql query */
        $user_id = $fetch['user_id'];
        $user_access $fetch['user_access'];
    } else {
        header("Location: login.php");
        die();
    }
} else {
    $user_id = $_SESSION['user_id'];
    $user_access = $_SESSION['user_id'];
}
 
/* blabla */
 
if($user_id != $_GET['uid']) {
    header("Location index.php");
}
?>
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Cookies and session

Post by jackpf »

It still seems a bit over complicated.

Why not just do something like this?

Code: Select all

 
session_start();
 
if(isset($_SESSION['user_id']))
    $userid = $_SESSION['userid'];
else
{
    header('Location: login.php');
    die;
}
 
If you want to prevent session hijacking, you should store the user's ip address in a session when they login, and check that the user's ip address matches the session's on each page request.
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Cookies and session

Post by JKM »

Hmm, if a cookie is saved, is it making a session automaticly then (since you removed the $_COOKIE part)?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Cookies and session

Post by jackpf »

Using sessions automatically sets a cookie with the session id.

You don't need to use sessions and cookies.
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Cookies and session

Post by JKM »

Sorry, but I don't get it..

If I'm using your example:

Code: Select all

session_start();
 
if(isset($_SESSION['user_id']))
    $userid = $_SESSION['userid'];
else
{
    header('Location: login.php');
    die;
}
How does that script got anything to do with cookies (so that they don't have to log in every time they start their browser)?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Cookies and session

Post by jackpf »

Oh right - you didn't say you wanted sessions to persist.

Here's how to change the session cookie lifetime (read the comments as well).

But if you want a persistent login, why not just use cookies instead of sessions in general?
Post Reply