Page 1 of 1

PHP clear cookie on browser close

Posted: Sat Jan 21, 2006 5:50 pm
by dangre
Greetings board members!

I have a user login page, that if a valid email/password is entered, a cookie is set containing the user ID:

setcookie("usercookie", $_GET["uid"], time()+3600);

This all works great, and is set to expire after an hour of inactivity. There is a conflict created when setting a time parameter - when the user closes the browser the cookie will not immediately expire.

My question is, what is the ideal way to get the best of both worlds, where cookie will expire after an hour, or expire immediately on browser close?

Thanks to all who read and respond!

Posted: Sat Jan 21, 2006 6:12 pm
by shiznatix
you can use sessions. you can set how long a session will stay alive and a session is always destroyed when the browser is closed.

look at http://ee.php.net/manual/en/function.session-start.php
then use the $_SESSION array

then you will get what you need.

Posted: Sat Jan 21, 2006 6:21 pm
by dangre
Okay thanks. I'll give it a try. Cookies alone *almost* worked for me, except for that one little thing :?

Posted: Sat Jan 21, 2006 7:10 pm
by shiznatix
well if you set a cookie to expire at a time of 0 then the cookie will expire when you close the browser but $_SESSIONs are more secure and easier to use and are softer to the touch when you go to hug them so i would definatly use them over cookies in that situation.

Re: PHP clear cookie on browser close

Posted: Sun Jan 22, 2006 6:59 am
by duk
dangre wrote: My question is, what is the ideal way to get the best of both worlds, where cookie will expire after an hour, or expire immediately on browser close?
if you want to know what is better... you can leave the user to decide what is better for him... having a option for auto_login in the login option in that case the cookie is set for 1 month for example...

if the user don't set the auto_login the cookie could expire in 1hour...

Posted: Tue Jan 24, 2006 11:19 am
by dangre
Thanks everybody for your great replies! I encountered some difficulties with sessions until I was able to understand them better. Now I'm sold. I found a solution that has been working great so far, however I'm wondering how secure my code is. Would the seasoned php programmers out there consider this login process to be "good practice?"

Login Screen - unregisters any previous session (using session_unregister). Upon successful login/password, system registers the internal account ID as a session variable:

Code: Select all

<?php
session_start();
session_register("sess_reg_uid");
$sess_reg_uid = $_GET["uid"];
header('Location: http://www.myweb.com/account-home.php');
?>
Once session is registered, I've included a process that if the "uid" session variable is not found, will automatically redirect to login screen:

Code: Select all

<?php
session_start();
if (strlen($sess_reg_uid) == 0)
{
header('Location: http://www.myweb.com/account-login.php');
}
else
$uid = $sess_reg_uid;
?>
<META http-equiv="refresh" content="2000; URL=account-login.php">
The above code is contained in an "include" file for every page in the user account.

As I've said, the code above works brilliantly from my newbie perspective, though I fear that it may be fundamentally flawed in terms of security. Any thoughts would be extremely appreciated!!!!!!!!

Thank you,
Dan