php sessions + remember me Question

dreams4000

Hey all, just a question here about different methods of handling sessions. Curious what everyone's thoughts are on this. I have messed around with logging sessions in a DB and confirming against that, but this does not remember the login for next time. I have also messed with a login that has the remember me feature that keeps a cookie on that user's machine so they wont have to log in again. I have also looked at a number of sites that talk about one or the other of these.

The question I have is, if I am using the remember me feature using just cookies, is there any real need to store sessions in a DB for authentication? Any feedback or opinions on this would be cool. Thanks all!

kidsleep

I use both since cookies can be easily forged. When verifying the cookie, I check the stored value against the database. If it matches, then the user is logged in with sessions, if it doesn't match, they must log in again

dreams4000

Just to make sure I understand. You are checking the session id or some other value against the session id or something else stored in the db? Thanks again!

linus

Through laziness I've never messed that much with sessions, but it is important to note that if you log someone in by putting their username and password in cookies, the credentials in the cookies should be checked against those in the database in every single script. Otherwise I can go into the members list (say), forge my username cookie to be anyone and my password cookie to be anything (so long as it's present) and I will be "logged in."

dreams4000

Makes sense.

Thanks much for the advice on this! Off to change my script a little now 🙂