User Login - Session/Cookie Question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

User Login - Session/Cookie Question

Post by JPlush76 »

question for the advanced programmers out there..

I'm creating a userlogin / create account section for my ecommerce site and what I was going to do is...

1. let user create account - after account creation I register their new user_id as SESSION variable that I will use to run queries against.

2. if the user has an account, let them log in - now if they have a cookie on their system I will check the cookie if no cookie they get the login screen where I will again register their user_id as a SESSION variable

Now the questions are, should I use just the user_id session variable to cue my queries off of and what should I store in the cookie? just the user id? or the email and password?

Thanks All!
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

What's your use-case model?

It sounds like users may select an auto-login type feature? If you are allowing this the cookie should have three components:
expiration time
userID
MAC of the two + a server secret)

When your site gets the cookie you recompute the MAC and compare, if the two match then you know its a valid user token and that they haven't tampered with either the userID or the expiration time. Next check the expiration time to make sure the cookie is still good.

If the cookie passes both tests you procede as if the user had logged in, setting up all appropriate session variables, etc. There is no need to store username and/or password in the cookie.

If there is no auto-login then, there is no reason to worry about cookies, just trust PHP session functions to take care of the session id propagation.

Eric
Post Reply