Secure Login

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sidkdbl07
Forum Newbie
Posts: 2
Joined: Fri May 07, 2010 1:14 pm

Secure Login

Post by sidkdbl07 »

I've used a fairly old tutorial to implement a secure PHP login...
http://www.mtdev.com/2002/07/creating-a ... gin-script

My question is this...
How does session_defaults() log the user out if they clicked "Remember Me"?

Doesn't the cookie have to be destroyed or changed in addition to session_defaults()?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Secure Login

Post by John Cartwright »

The cookie is maintained, however, it's values are changed to represent them as logged out (which leaves the logic up to the application, versus the absense of the cookie itself).
sidkdbl07
Forum Newbie
Posts: 2
Joined: Fri May 07, 2010 1:14 pm

Re: Secure Login

Post by sidkdbl07 »

The logout function simply makes a call to session_defaults(), which updates the $_SESSION array, but it doesn't do anything to the cookie. So, as far as I can tell,

Code: Select all

function User(&$db) {
		$this->db = $db;
		$this->date = $GLOBALS['date'];

		if ($_SESSION['logged']) {
			$this->_checkSession();
		} elseif ( isset($_COOKIE['mtwebLogin']) ) {
			$this->_checkRemembered($_COOKIE['mtwebLogin']);
		}
	}
After logging out, the user's session varaible 'logged' is set to false, but isset($_COOKIE['mtwebLogin']) is true so then the user is logged in automatically and the session is reconstructed from the Cookie. Hence, the user can never log out.

This is how the code seems to bahave on my server, and so I'm trying to figure out what is happening.
Post Reply