Page 1 of 1

User Login - Session/Cookie Question

Posted: Fri Sep 20, 2002 2:30 pm
by JPlush76
question for the advanced programmers out there..

I'm creating a userlogin / create account section for my ecommerce site and what I was going to do is...

1. let user create account - after account creation I register their new user_id as SESSION variable that I will use to run queries against.

2. if the user has an account, let them log in - now if they have a cookie on their system I will check the cookie if no cookie they get the login screen where I will again register their user_id as a SESSION variable

Now the questions are, should I use just the user_id session variable to cue my queries off of and what should I store in the cookie? just the user id? or the email and password?

Thanks All!

Posted: Fri Sep 20, 2002 2:53 pm
by nielsene
What's your use-case model?

It sounds like users may select an auto-login type feature? If you are allowing this the cookie should have three components:
expiration time
userID
MAC of the two + a server secret)

When your site gets the cookie you recompute the MAC and compare, if the two match then you know its a valid user token and that they haven't tampered with either the userID or the expiration time. Next check the expiration time to make sure the cookie is still good.

If the cookie passes both tests you procede as if the user had logged in, setting up all appropriate session variables, etc. There is no need to store username and/or password in the cookie.

If there is no auto-login then, there is no reason to worry about cookies, just trust PHP session functions to take care of the session id propagation.

Eric