cookies and sessions are ok

miles_rich

I have learnt all about cookies and sessions, and have chosen to use both, cookies as a primary, and sessions as a secondary.

i have created all the code apart from one bit which makes no sense to me.

a user logs in, then a cookie is set, or a session is set.

What is set in these values???

a user then opens a page, a cookie or a session is checked, and if it is valid, then the page is displayed otherwise a "You cannot view this page" message is displayed.

What is the value checked against???

😕 😕 😕

V.Confused

mogster

Ummm... for sessions, I don't know, I don't use them.

But for cookies, you'll need to have a server response to the cookie. This server response is then fetched and compared with the cookie to see if it's set.

if($cookie_hash != "" && $cookie_hash == $server_hash) {
# auth is gained - display protected page
} else {
# auth is not gained - display loginscreen
}

Obviously, you need to do the compile of the server-hash before this sentence. I usually use a combination of several values from file/db, and compile them, then md5 the result.
Each time the page is loaded the different servervalues are compiled/calculated, and if one of them fails, auth fails.

The cookie is set with a single value, done by compiling the values (after comparison of passwords), and doing the same as above.

As for the sessions, I think the $PHPSESSID is set with the client's browser-session (as well as on the server), thus assuring the uniqueness and the auth of the session.

knutm

wama_tech

Just adding a note i have read somewhere:

the session_start() function in most of the cases creates a Cookie ! the only difference is that its expiry date is set to zero, meaning that when the browser is closed it is gone

Hope this have been of any help 🙂