PHP clear cookie on browser close

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dangre
Forum Newbie
Posts: 9
Joined: Fri Jan 13, 2006 5:50 pm

PHP clear cookie on browser close

Post by dangre »

Greetings board members!

I have a user login page, that if a valid email/password is entered, a cookie is set containing the user ID:

setcookie("usercookie", $_GET["uid"], time()+3600);

This all works great, and is set to expire after an hour of inactivity. There is a conflict created when setting a time parameter - when the user closes the browser the cookie will not immediately expire.

My question is, what is the ideal way to get the best of both worlds, where cookie will expire after an hour, or expire immediately on browser close?

Thanks to all who read and respond!
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

you can use sessions. you can set how long a session will stay alive and a session is always destroyed when the browser is closed.

look at http://ee.php.net/manual/en/function.session-start.php
then use the $_SESSION array

then you will get what you need.
dangre
Forum Newbie
Posts: 9
Joined: Fri Jan 13, 2006 5:50 pm

Post by dangre »

Okay thanks. I'll give it a try. Cookies alone *almost* worked for me, except for that one little thing :?
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

well if you set a cookie to expire at a time of 0 then the cookie will expire when you close the browser but $_SESSIONs are more secure and easier to use and are softer to the touch when you go to hug them so i would definatly use them over cookies in that situation.
duk
Forum Contributor
Posts: 199
Joined: Wed May 19, 2004 8:45 am
Location: London

Re: PHP clear cookie on browser close

Post by duk »

dangre wrote: My question is, what is the ideal way to get the best of both worlds, where cookie will expire after an hour, or expire immediately on browser close?
if you want to know what is better... you can leave the user to decide what is better for him... having a option for auto_login in the login option in that case the cookie is set for 1 month for example...

if the user don't set the auto_login the cookie could expire in 1hour...
dangre
Forum Newbie
Posts: 9
Joined: Fri Jan 13, 2006 5:50 pm

Post by dangre »

Thanks everybody for your great replies! I encountered some difficulties with sessions until I was able to understand them better. Now I'm sold. I found a solution that has been working great so far, however I'm wondering how secure my code is. Would the seasoned php programmers out there consider this login process to be "good practice?"

Login Screen - unregisters any previous session (using session_unregister). Upon successful login/password, system registers the internal account ID as a session variable:

Code: Select all

<?php
session_start();
session_register("sess_reg_uid");
$sess_reg_uid = $_GET["uid"];
header('Location: http://www.myweb.com/account-home.php');
?>
Once session is registered, I've included a process that if the "uid" session variable is not found, will automatically redirect to login screen:

Code: Select all

<?php
session_start();
if (strlen($sess_reg_uid) == 0)
{
header('Location: http://www.myweb.com/account-login.php');
}
else
$uid = $sess_reg_uid;
?>
<META http-equiv="refresh" content="2000; URL=account-login.php">
The above code is contained in an "include" file for every page in the user account.

As I've said, the code above works brilliantly from my newbie perspective, though I fear that it may be fundamentally flawed in terms of security. Any thoughts would be extremely appreciated!!!!!!!!

Thank you,
Dan
Post Reply