Page 1 of 1
Cookies and session
Posted: Thu Aug 06, 2009 11:33 am
by JKM
I'm having some $_SESSION['user_id'] etc in my code, so if I want to use cookies, should I do it like this, then?
Code: Select all
<?php
session_start();
if(!$_SESSION['user']) {
if(isset($_COOKIE['user'])) {
/* some security checks */
/* mysql query */
$_SESSION['user_id'] = $fetch['user_id'];
$_SESSION['user_access'] = $fetch['user_access'];
} else {
header("Location: login.php");
die();
}
}
/* more code */
?>
... or is there a better way to do it?
Re: Cookies and session
Posted: Thu Aug 06, 2009 11:38 am
by Jahren
have you tested it?
Re: Cookies and session
Posted: Thu Aug 06, 2009 11:50 am
by JKM
I'm just asking for the theory. If there is a better theory, I would use that instead..
Re: Cookies and session
Posted: Thu Aug 06, 2009 12:37 pm
by jackpf
I don't understand - what's the point in storing the userid in a session and a cookie?
Re: Cookies and session
Posted: Thu Aug 06, 2009 1:01 pm
by JKM
if($_SESSION['user_id'] != $_GET['uid']) {
header("Location index.php");
}
Why shouldn't I store the userid in a session?
Re: Cookies and session
Posted: Thu Aug 06, 2009 1:07 pm
by jackpf
I didn't say that - I'm just asking why you're saving the userid twice.
JKM wrote:if($_SESSION['user_id'] != $_GET['uid']) {
header("Location index.php");
}
And I don't see the point in that either. All that'll do is prevent people sharing links.
Re: Cookies and session
Posted: Thu Aug 06, 2009 1:29 pm
by JKM
Hmm, should I do it like this, then?
Code: Select all
<?php
session_start();
if(!$_SESSION['user']) {
if(isset($_COOKIE['user'])) {
/* some security checks */
/* mysql query */
$user_id = $fetch['user_id'];
$user_access $fetch['user_access'];
} else {
header("Location: login.php");
die();
}
} else {
$user_id = $_SESSION['user_id'];
$user_access = $_SESSION['user_id'];
}
/* blabla */
if($user_id != $_GET['uid']) {
header("Location index.php");
}
?>
Re: Cookies and session
Posted: Thu Aug 06, 2009 3:00 pm
by jackpf
It still seems a bit over complicated.
Why not just do something like this?
Code: Select all
session_start();
if(isset($_SESSION['user_id']))
$userid = $_SESSION['userid'];
else
{
header('Location: login.php');
die;
}
If you want to prevent session hijacking, you should store the user's ip address in a session when they login, and check that the user's ip address matches the session's on each page request.
Re: Cookies and session
Posted: Thu Aug 06, 2009 4:36 pm
by JKM
Hmm, if a cookie is saved, is it making a session automaticly then (since you removed the $_COOKIE part)?
Re: Cookies and session
Posted: Fri Aug 07, 2009 8:07 am
by jackpf
Using sessions automatically sets a cookie with the session id.
You don't need to use sessions and cookies.
Re: Cookies and session
Posted: Fri Aug 07, 2009 3:06 pm
by JKM
Sorry, but I don't get it..
If I'm using your example:
Code: Select all
session_start();
if(isset($_SESSION['user_id']))
$userid = $_SESSION['userid'];
else
{
header('Location: login.php');
die;
}
How does that script got anything to do with cookies (so that they don't have to log in every time they start their browser)?
Re: Cookies and session
Posted: Sun Aug 09, 2009 10:38 am
by jackpf
Oh right - you didn't say you wanted sessions to persist.
Here's how to change the session cookie lifetime (read the comments as well).
But if you want a persistent login, why not just use cookies instead of sessions in general?