I have sessions, have a cookie Q.

Dolemite50

Hi,
I have designed a site and it is currently using sessions. I want to now add the feature of cookies for people who dont want to have to re-enter a password.
Currently I am using this line:

<?php
session_start();
if (@$_SESSION['auth'] != "TRUE"){
header("Location: signin.php");
exit();
}
?>

I am an exteme newb and am wondering how hard it would be to have sessions and cookies running together. If some people are logged in with a cookie will it interfere with the session? If anybody could point me to a tutorial on this that would be great.

(I didnt have much luck with the one at the top of this forum). 🙁

Roger_Ramjet

Try these links for an explanation of session authentication:

http://www.sitepoint.com/article/great-client-login-system

http://www.sitepoint.com/print/users-php-sessions-mysql

I have attached the code for the php-sessions example, I use it myself and it works great.

You might consider just using http authentication as most browsers will store passwords and automatically submit them if the user so chooses. Read this manual page for http :

http://uk2.php.net/manual/en/features.http-auth.php

and this for an explanation of .htaccess itself:

http://wsabstract.com/howto/htaccess.shtml

Dolemite50

Thanks alot Roger,
I checked the links and I'm still a little confused. Right now my session activity works with this:

else{
session_start();
$SESSION['loginName'] = $POST['loginName'];
$SESSION['auth'] = TRUE;
header("Location: signin2.php");
//echo $SESSION['loginName'];

Which works until they close the browser.

I am not using any $_SERVER functions. Is this what I need to do in order for a "remember me" feature? Basically the only thing I need to store is a loginName and a boolean to if they are authorized. Are you saying that I can create a cookie on the server instead of on the client end? Is there any way to just not have the SESSION expire until they logout?

Thanks alot for all the help. Believe me, I'm so green that just about every time I check the manual at php.net it goes over my head.
}

rgermain

I personally have not tried this myself, but what I would do is write a simple if statement checking to see if the cookie exsited and if so then check to see if inside that cookie there was a password. In the cookie you would store the encrypted password. Check the cookies encrypted password against the databases encrypted password and if it all works out set variable to TRUE. Then in your current if statement just add an or to check if the variable is set to true.

Maybe someone else has a better way, but that is just how I would do it.

**NOTE: You would also want to store the username in the cookie so as soon as they come to your site the page checks for a cookie with a vaild username and password. Otherwise just makes them login manually.

Roger_Ramjet

Before I get into any of this, you will have to explain:

1 What kind of site is it: ie why do users need to login in the first place
2 Why does it matter if they have to enter their password each time they visit
3 why are you not using .htaccess: the best method of securing a page or site

Sessions uses cookies, that is how the server tracks the client session
You can not create a cookie server-side

Have you thought through your problem and solution properly. If you are having trouble implementing something in code it is always because you have not analysed the problem properly; that is why I am asking the questions above.

THINK, am I trying to solve the right problem in the first place?