Hi All,
I have a web app. that uses session based security - I validate a user's name/password via a web form lookup to a database table, and use session_register() to register session variables for the users.
What is the best way for me to give the user to "always stay logged in" to the web app. - cookies?
Does anyone know of a good tutorial that would work with my session security?
Thanks,
Originally posted by stevea
Hi All,
I have a web app. that uses session based security - I validate a user's name/password via a web form lookup to a database table, and use session_register() to register session variables for the users.
What is the best way for me to give the user to "always stay logged in" to the web app. - cookies?
Does anyone know of a good tutorial that would work with my session security?
Thanks,
There are 100reds of threads here about how setting 'remember-me' cookies.
Only last week, like 4-5 threads.
how about clicking link search, in upper right corner.
Keyword 'setcookie'
Good luck! 
Cookies are the way to go, sessions only last 20 minutes(?) idle time, after that they delete themselves, they also are removed after the script/browser is closed. I am pretty sure only cookies can do this for you, I don't think there is a way to extend a sessions time frame, or a way to have it effect a specific machine? So yeah, cookies are your only other option.
Originally posted by TimTimTimma
Cookies are the way to go, sessions only last 20 minutes(?) idle time, after that they delete themselves, they also are removed after the script/browser is closed. I am pretty sure only cookies can do this for you, I don't think there is a way to extend a sessions time frame, or a way to have it effect a specific machine? So yeah, cookies are your only other option.
The above isn't exactly true because you can modify how a session behaves through php.ini and [man]session_set_cookie_params[/man] so that it doesn't go away when the browser is closed.
Nevertheless this is an ideal 'real' cookie situation. Setting the cookies won't be your problem, but you'll have to think about how to make the cookie secure so you don't just throw in someone's userid and voila, you get access to all their stuff. Ideally put in a creation time plus a hashed checksum of their userid or username plus some other scrambling string that only you know. Then, if you want, make them relog in when the time set in the cookie is old. Putting a time in the cookie generated from your server also gets you around the problem of time differences in the user's machine and your server and the ubiquitous "Why can't users stay logged in" questions.