Page 1 of 1

Cookies and session

Posted: Thu Aug 06, 2009 11:33 am
by JKM
I'm having some $_SESSION['user_id'] etc in my code, so if I want to use cookies, should I do it like this, then?

Code: Select all

<?php
session_start();
if(!$_SESSION['user']) {
    if(isset($_COOKIE['user'])) {
        /* some security checks */
        /* mysql query */
        $_SESSION['user_id'] = $fetch['user_id'];
        $_SESSION['user_access'] = $fetch['user_access'];
    } else {
        header("Location: login.php");
        die();
    }
}
/* more code */
?>
... or is there a better way to do it?

Re: Cookies and session

Posted: Thu Aug 06, 2009 11:38 am
by Jahren
have you tested it?

Re: Cookies and session

Posted: Thu Aug 06, 2009 11:50 am
by JKM
I'm just asking for the theory. If there is a better theory, I would use that instead..

Re: Cookies and session

Posted: Thu Aug 06, 2009 12:37 pm
by jackpf
I don't understand - what's the point in storing the userid in a session and a cookie?

Re: Cookies and session

Posted: Thu Aug 06, 2009 1:01 pm
by JKM
if($_SESSION['user_id'] != $_GET['uid']) {
header("Location index.php");
}

Why shouldn't I store the userid in a session?

Re: Cookies and session

Posted: Thu Aug 06, 2009 1:07 pm
by jackpf
I didn't say that - I'm just asking why you're saving the userid twice.
JKM wrote:if($_SESSION['user_id'] != $_GET['uid']) {
header("Location index.php");
}
And I don't see the point in that either. All that'll do is prevent people sharing links.

Re: Cookies and session

Posted: Thu Aug 06, 2009 1:29 pm
by JKM
Hmm, should I do it like this, then?

Code: Select all

<?php
session_start();
if(!$_SESSION['user']) {
    if(isset($_COOKIE['user'])) {
        /* some security checks */
        /* mysql query */
        $user_id = $fetch['user_id'];
        $user_access $fetch['user_access'];
    } else {
        header("Location: login.php");
        die();
    }
} else {
    $user_id = $_SESSION['user_id'];
    $user_access = $_SESSION['user_id'];
}
 
/* blabla */
 
if($user_id != $_GET['uid']) {
    header("Location index.php");
}
?>

Re: Cookies and session

Posted: Thu Aug 06, 2009 3:00 pm
by jackpf
It still seems a bit over complicated.

Why not just do something like this?

Code: Select all

 
session_start();
 
if(isset($_SESSION['user_id']))
    $userid = $_SESSION['userid'];
else
{
    header('Location: login.php');
    die;
}
 
If you want to prevent session hijacking, you should store the user's ip address in a session when they login, and check that the user's ip address matches the session's on each page request.

Re: Cookies and session

Posted: Thu Aug 06, 2009 4:36 pm
by JKM
Hmm, if a cookie is saved, is it making a session automaticly then (since you removed the $_COOKIE part)?

Re: Cookies and session

Posted: Fri Aug 07, 2009 8:07 am
by jackpf
Using sessions automatically sets a cookie with the session id.

You don't need to use sessions and cookies.

Re: Cookies and session

Posted: Fri Aug 07, 2009 3:06 pm
by JKM
Sorry, but I don't get it..

If I'm using your example:

Code: Select all

session_start();
 
if(isset($_SESSION['user_id']))
    $userid = $_SESSION['userid'];
else
{
    header('Location: login.php');
    die;
}
How does that script got anything to do with cookies (so that they don't have to log in every time they start their browser)?

Re: Cookies and session

Posted: Sun Aug 09, 2009 10:38 am
by jackpf
Oh right - you didn't say you wanted sessions to persist.

Here's how to change the session cookie lifetime (read the comments as well).

But if you want a persistent login, why not just use cookies instead of sessions in general?