Page 1 of 1
Secure Login
Posted: Fri May 07, 2010 1:19 pm
by sidkdbl07
I've used a fairly old tutorial to implement a secure PHP login...
http://www.mtdev.com/2002/07/creating-a ... gin-script
My question is this...
How does session_defaults() log the user out if they clicked "Remember Me"?
Doesn't the cookie have to be destroyed or changed in addition to session_defaults()?
Re: Secure Login
Posted: Fri May 07, 2010 4:00 pm
by John Cartwright
The cookie is maintained, however, it's values are changed to represent them as logged out (which leaves the logic up to the application, versus the absense of the cookie itself).
Re: Secure Login
Posted: Fri May 07, 2010 5:04 pm
by sidkdbl07
The logout function simply makes a call to session_defaults(), which updates the $_SESSION array, but it doesn't do anything to the cookie. So, as far as I can tell,
Code: Select all
function User(&$db) {
$this->db = $db;
$this->date = $GLOBALS['date'];
if ($_SESSION['logged']) {
$this->_checkSession();
} elseif ( isset($_COOKIE['mtwebLogin']) ) {
$this->_checkRemembered($_COOKIE['mtwebLogin']);
}
}
After logging out, the user's session varaible 'logged' is set to false, but isset($_COOKIE['mtwebLogin']) is true so then the user is logged in automatically and the session is reconstructed from the Cookie. Hence, the user can never log out.
This is how the code seems to bahave on my server, and so I'm trying to figure out what is happening.