Greetings board members!
I have a user login page, that if a valid email/password is entered, a cookie is set containing the user ID:
setcookie("usercookie", $_GET["uid"], time()+3600);
This all works great, and is set to expire after an hour of inactivity. There is a conflict created when setting a time parameter - when the user closes the browser the cookie will not immediately expire.
My question is, what is the ideal way to get the best of both worlds, where cookie will expire after an hour, or expire immediately on browser close?
Thanks to all who read and respond!
PHP clear cookie on browser close
Moderator: General Moderators
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
you can use sessions. you can set how long a session will stay alive and a session is always destroyed when the browser is closed.
look at http://ee.php.net/manual/en/function.session-start.php
then use the $_SESSION array
then you will get what you need.
look at http://ee.php.net/manual/en/function.session-start.php
then use the $_SESSION array
then you will get what you need.
Re: PHP clear cookie on browser close
if you want to know what is better... you can leave the user to decide what is better for him... having a option for auto_login in the login option in that case the cookie is set for 1 month for example...dangre wrote: My question is, what is the ideal way to get the best of both worlds, where cookie will expire after an hour, or expire immediately on browser close?
if the user don't set the auto_login the cookie could expire in 1hour...
Thanks everybody for your great replies! I encountered some difficulties with sessions until I was able to understand them better. Now I'm sold. I found a solution that has been working great so far, however I'm wondering how secure my code is. Would the seasoned php programmers out there consider this login process to be "good practice?"
Login Screen - unregisters any previous session (using session_unregister). Upon successful login/password, system registers the internal account ID as a session variable:
Once session is registered, I've included a process that if the "uid" session variable is not found, will automatically redirect to login screen:
The above code is contained in an "include" file for every page in the user account.
As I've said, the code above works brilliantly from my newbie perspective, though I fear that it may be fundamentally flawed in terms of security. Any thoughts would be extremely appreciated!!!!!!!!
Thank you,
Dan
Login Screen - unregisters any previous session (using session_unregister). Upon successful login/password, system registers the internal account ID as a session variable:
Code: Select all
<?php
session_start();
session_register("sess_reg_uid");
$sess_reg_uid = $_GET["uid"];
header('Location: http://www.myweb.com/account-home.php');
?>Code: Select all
<?php
session_start();
if (strlen($sess_reg_uid) == 0)
{
header('Location: http://www.myweb.com/account-login.php');
}
else
$uid = $sess_reg_uid;
?>
<META http-equiv="refresh" content="2000; URL=account-login.php">As I've said, the code above works brilliantly from my newbie perspective, though I fear that it may be fundamentally flawed in terms of security. Any thoughts would be extremely appreciated!!!!!!!!
Thank you,
Dan