get cookie stuff to register a session HELP

jung

I am trying to add cookies to my 'php sessions log in environment' so that they can 'stay logged in on this computer' - via a check box like here and at many other sites...

I understand HOW to give the cookie IF the 'stay logged in box' is checked.

<?php 
//NOTE: I use email and upass for log in. 
if ($_POST[vxcookie] == "on")  {
setcookie ("ck_email", $email);
setcookie("ck_pass", $pass);
} 
?>

HOW... do I call this info to create a session/login AUTOMATICALLY when the user relaunches their browser?

my session check inc. file looks like this... (i have this on all pages)

<?php
session_start(); 
header("Cache-control: private");

if (!session_is_registered('uid') ) 

   {header("Location: logfail.php"); }
?>

TruckStuff

This would be more of an issue for your login page. Code needs to log something like the following:

<?
if (isset ($_COOKIE['vxzcookie']))
  $uname=$_COOKIE['vwcookie'];
 else $uname = '';
<form action=login.php method=POST>
<input type=text name=uname value=<? echo '"'.$uname.'"';?>>
<input type=password name=pw>
<input type=submit value=Login>
</form>

jung

Originally posted by TruckStuff
This would be more of an issue for your login page. Code needs to log something like the following:
<?
if (isset ($_COOKIE['vxzcookie']))
  $uname=$_COOKIE['vwcookie'];
 else $uname = '';
<form action=login.php method=POST>
<input type=text name=uname value=<? echo '"'.$uname.'"';?>>
<input type=password name=pw>
<input type=submit value=Login>
</form>
[/B]

BUT wouldn't that simply pre populate the log in page ?

although that would be nice... I'd really like to get the PHP session restarted automatically from the cookie info...

so my check for registered session will also create a session based on cookie info...

Maybe I could do what you are alluding to IF the session isn't registered (on my session check include).... Does that make sense?

Weedpacket

The way I see it happening is in the code on each page where you check someone's logged in (if you're wanting them to be able to be logged in immediately, you want them to be able to go directly to their desired page without having to go through the login page first).

Look to see if session info is populated
If it is, validly of course, then they're logged in and no more checking needs to be made.
Otherwise, look to see if they've supplied a cookie
If it is, look up the corresponding details to see if there is a match
If there is a match, populate the session info with those details. They're now logged in and no further checking is needed.
Still here? Then there was no session data and no cookie. They're not logged in. Redirect them to the login page, I suppose.

start_session();
if(session is empty or contains invalid info)
{ Make sure the session is empty
  Try and gather cookie data
  if(there was cookie data)
  { Try and compare it with the appropriate database records
    if(there was no hit in the database)
    { This person has not logged in. Take appropriate action.
      exit.
    }
    //else
    Populate session data with details from database.
    Ensure cookie is updated.
  }
}

dv6cougar

this can't be too hard to achieve... i will be doing somethign similar soon.

My current thoughts however are: (ssory to budge in on your thread, but this may help you too, but so far I've never ogtten answer on this one 🙁 )

how safe would it be to use an IP address? and how would that affect a network?

thanks in advance.

TruckStuff

BUT wouldn't that simply pre populate the log in page ?

Sorry, I thought that's what you wanted. If you want users automatically logged in when they return to your site, this would need to take place in your authorization functions. You might have something like this:

function Validate ($uname, $pw)
{
 # Code to validate user
}

function GetLogin()
{
  if (isset($_SESSION['uname']) && isset ($_SESSION['pw'])) # Check for SESSION vars and use them if set
    { 
     $uname = $_SESSION['uname'];
     $pw = $_SESSION['pw'];
    }
   elseif (isset($_COOKIE['uname']) && isset ($_COOKIE['pw'])) # Check for COOKIE vars and use them if set
    { 
     $uname = $_COOKIE['uname'];
     $pw = $_COOKIE['pw'];
    }
   elseif (isset($_POST['uname']) && isset ($_POST['pw'])) # Finally, check for POST vars and use them if set
    { 
     $uname = $_POST['uname'];
     $pw = $_POST['pw'];
    }
 Validate ($uname, $pw);
}

HOWEVER, I would advise against using this practice. Allowing users to be authenticated without being prompted for a password poses a signifigant security risk. If you use this method, anyone can be authenticated as anyone simply by using that other person's computer. Not to mention that cookies are pretty easy to forge. I would discourage you from using this practice unless you completely trust all of your users and you know that their systems will never be used by anyone else (read: not likely). 🙂

Weedpacket

Originally posted by dv6cougar
how safe would it be to use an IP address? and how would that affect a network?

It would be a lot more unreliable. Reason? Two words: "proxy server".