Sessions/Cookies

[Dan]

I asked for ideas for the user system I'm making, and it's getting all feature requests and no ideas about how I should do the back end (other than Tree's small post. :blink[thread]

On old scripts, I would just use the username (or id) and password as cookies (password encrypted, obviously) but I've read that that isn't very secure and I also know how to get around it.

I've seen people saying to give users a session that matches with one in the MySQL database, but that has the same problems as the first idea. Just get the cookie and you're in.

You could check the user's IP and the session, but what happens if they don't have a static IP?

How should I do the remember me cookies, sessions, or whatever?

 

[Tree]

On a few projects, I set 5 different cookies. They would be heavily-encrypted versions of user data (ex. user ID, username, password, email, full name, etc). Also set an "expiration cookie" which would really just say whether they wanted to be remembered or not. This way they would have to get all 5 of the cookies correct. It would be a lot harder to change users using this method. It could be done, but it would be extremely hard.

There's a few other ways if that doesn't work out for you.

 

[Peter]

The way the likes of ebay do this is to set a cookie for the remember me feature. However when you wish to gain proper access to the account (or place a bid) you have to supply your login details again.

 

[psalzmann]

How should I do the remember me cookies, sessions, or whatever?

Remember me can only be done via cookies. The problem with sessions is they are only good for the duration of the browser. Each time you open a new window or browser window, it would be a different session unless it's being tracked via custom session functions.

The only way you can do this properly is by writing or finding a script that gives you the ability to encode and decode a string.

You would set at least 2 cookies:

- $_COOKIE['username']
- $_COOKIE['password']

those when printed on the screen should both contain encrypted string data that only your php script can "read" and decode into their natural string state.

So your auto-remember me function would first (before anything in your code) check to see if those cookies exist:

if (!empty($_COOKIE['username']) AND !empty($_COOKIE['password']))
{
      $username = decode_string($_COOKIE['username']);
      $password = decode_string($_COOKIE['password']);

      // match decoded user/pass to the database
      __> SQL SELECT QUERY HERE <___
      if ($result['username'] == $username AND $result['password'] == $password)
      {
            // this will auto-log in your member with proper sessions so they don't have to use the login form
            $_SESSION['username'] = $username;
            $_SESSION['password'] = $password;
      }
}

To make this work above, you'll need:

- a decode_string() function
- a proper SQL select query/statement to hold $result['username'] and $result['password'] from the user table in your db.

Does this help you?

Regards,
Peter

 

[Noobie]

...nm...

 

[Dan]

Remember me can only be done via cookies. The problem with sessions is they are only good for the duration of the browser. Each time you open a new window or browser window, it would be a different session unless it's being tracked via custom session functions.

I know that no matter what I would need to set a cookie for the person to be remembered.

Setting just a username and password cookie would not be secure because anyone could just set the cookies by themselves.

By sessions, I don't necessarily mean just $_SESSION. It's more of setting the session cookie by myself and storing the session value in the MySQL database to see if they are supposed to be remembered. If I use this method, I would also store the username and password because now it would be harder to get both of those and the session cookie.