login w/ cookies or sessions?

Anon

I want to create a login which a user can access multiple secure pages... eg.

admin.php - secure file
account.php - secure file
chat.php - secure file
billing.php - secure file

logout.php - destroys cookie/session

the username and password for each user is in a database, that i can handle. But I want to know which is more secure or better to use for creating a login.

Each secure page will call the cookie or session in the very beginning to see if the user is still authencated.

The thing is, I need the session or cookie to expire after 1 hour. I know how to use cookies, so that's not a problem. But sessions are stored on the server, so I thought that woudl be a more secure way.

Please give me some advice on what to do. I know how to code things, I just need to know what's perferred. -

Also can you store multiple values in a session like you can with a cookie?

I need to store $username and $password

setcookie ("admin[username]");
setcookie ("admin[password]");

Thanks in advanced,
Mark

madsen

I use a cookie-login on my site and it seems to work out fine, might be caused by me having only 9 users including myself. :-)
But you only need to set one cookie, and make it an md5-encrypted cookie, i.e.:

$qu = mysql_query("SELECT * FROM users");
$true = md5("isuck");
while($data = mysql_fetch_row($qu)){
if($usrname==$data['usrname'] && $passwd==$data['passwd'])
setcookie("online",$true,time()+3600);
echo "Login succesful.";
exit;
}
else
$valid = 0;
}
if($valid==0) echo "Authentication failed.";

Sorry about all that code, but I think it made more sence in context with the rest of the code...
Hope you'll find it useful.
Regards Madsen

Anon

I don't understand what you mean by encrypting a cookie? You can actually do that? I didn't think you would be able to.

madsen

Well, ok, you don't encrypt the actual cookie, but you can encrypt the information in them, and with an md5-encryption it would take about (as far as i recall) 6.000.000 times the time that the universe is supposed to have existed...
The way you can encrypt the information in a cookie is shown in my previous answer, but I appearantly forgot to tell you how to check the cookie...
<?

Define values.

$value = md5("true"); // The value-string.
$name = "online": //The name of the cookie.
$time = time()+3600; //Expires an hour from the time set.

Now we've got the name, value, and time defined.

setcookie($name,$value,$time);

Then let's test the cookie.

$true = md5("true"); // Same as $value.

if($online==$true) echo "Logged in...";
else echo "NOT logged in...";
?>
This script will set the cookie named "online" and set its value to the md5-encrypted version of the string "true".
You can't decrypt the string again, but you can compare the encrypted string with another encryoted string.
$md = md5("ohboy"); will always be the same, as long as you don't change server in the middle of a session...
Hope this was clearer than my previous answer.
Best regards
~madsen

Anon

Thanks, your last reply was much clearer

Anon

Dear all,

I have a problem about login.

I have a database to save the user login_time and logout_time.

The logout_time is used to count the session time. If the system time > logout_time. it mean it disconnect and delete the session.

May I set/make a prompt or warning window to show the session timeout for user??

Other question, If 2 user do login , they use the same login name, how to prompt the fisrt login user, say 'cut connection' ??

Pls help.

Steven

crazynj

"I have a problem about login.

I have a database to save the user login_time and logout_time.

The logout_time is used to count the session time. If the system time > logout_time. it mean it disconnect and delete the session.

May I set/make a prompt or warning window to show the session timeout for user??

Yes

Other question, If 2 user do login , they use the same login name, how to prompt the fisrt login user, say 'cut connection' ??

Yes, basically the database will search when the second user (w/ same username logs in or tries to login) - it will see that the 1st one is already logged in and automatically log him out.

Anon

Dear Mark,

Thanks your reply.

the 1st one will log out automatically. and also want to prompt the 1st one the connection off.

how do??

BR
Steven