Looking for a simple cookie based login system

schwim

Hi there guys,

I'm writing a site engine that requires user management and currently, I'm just using sessions to handle the user(check the username & pass to db and if it's a match, username =$SESSION['username']. If ISSET $SESSION['username'], then allow them to access member privs)

My problem is that I'd like them to be able to stay logged in if they'd like. Is there a simple way to alter a session based login to do this, or do I need to start over with the login system?

Any pointers, tuts or suggestions would be welcome 🙂

thanks,
json

NogDog

You could change the related session configuration values so that they can stay logged in longer, even if the browser is closed. Basically you'd want to set both session.cookie_lifetime and session.gc_maxlifetime to some large number of seconds.

schwim

Hi nog,

thanks very much for the response. I'd need to handle this script-side and from the way I understand the functions, the only way to manipulate these values are via php's settings, no?

How would I effect the same thing that every forum system in the world has?

thanks,
json

NogDog

See [man]session_set_cookie_params/man setting the cookie expiration, and [man]ini_set/man for the gc setting. Also, if this is hosted in a situation where other scripts may use the same default session data directory, then you should set up and use a separate directory for your scripts to use; otherwise other scripts' session_start()'s may delete your session data, because their gc_maxlifetime will apply when they run.

You would need to do the following before each session_start() (probably put into a singe include file?). Make sure that session data directory is writable by Apache.

<?php
// session settings:
$loginTime = 60*60*24*30; // 30 days
$sessDir = $_SERVER['DOCUMENT_ROOT'].'/sessions';
// apply settings then start session
session_set_cookie_params($loginTime);
ini_set('session.gc_maxlifetime', $loginTime);
session_set_save_path($sessDir);
session_start();

schwim

Thanks very much for that nog, it looks pretty fantastic. I'll add it to the included functions file and handle it that way. If I can, I have another question for you.

Right now, to decide whether the visitor is legitimately logged in, I'm simply checking for the existence of $_SESSION['user']. Obviously, there's some flaws to this in regards to secuirty.

In your opinion, and using the current session login system, what would you suggest be the best way to ensure that the user is legitimately logged in?

thanks,
json

schwim

schwim;10891573 wrote:
Right now, to decide whether the visitor is legitimately logged in, I'm simply checking for the existence of $_SESSION['user']. Obviously, there's some flaws to this in regards to secuirty.

Any suggestions above just checking for a correct password for the stored username in an attempt to make the script somewhat secure?

thanks,
json

schwim

Hi there Nog,

Never heard back from you but began implementing your suggestion and ran into a problem:

I added your code to a new file called session.php and at the beginning of each main file, I call it. I'm getting an error though:

Fatal error: Call to undefined function session_set_save_path() in /var/www/html/sandbox/includes/session.php on line 9

The very first thing getting called is your code and I have yet to make any changes to it yet. I simply created the sessions dir, set the permissions and ran with it.

Did I neglect a step of the process?

thanks,
json

schwim

Ok, I changed session_set_save_path to session_save_path and think that I got a little further along in setting it up. Sorry for the confusion 🙂

thanks,
json

NogDog

schwim;10892922 wrote:
Ok, I changed session_set_save_path to session_save_path and think that I got a little further along in setting it up. Sorry for the confusion 🙂

thanks,
json

I know it's hard to believe, but (a) I don't have every single PHP function name memorized, and (b) I do make occasional mistakes. So caveat emptor when using any of my code samples. 😉

schwim

NogDog;10892934 wrote:
... and (b) I do make occasional mistakes. So caveat emptor when using any of my code samples. 😉

Sure, and the earth is flat. 😉

I very sincerely appreciate the help.

thanks,
json

schwim

Well, I thought I was in the clear, but my testing leaves a little something to desire. The system is placing the cookie, and the data seems to be legitimate, but it's no longer registering the login.

I replaced:

session_start();

with

// session settings:
$loginTime = 60*60*24*30; // 30 days
$sessDir = $_SERVER['DOCUMENT_ROOT'].'/sandbox/sessions';
// apply settings then start session
session_set_cookie_params($loginTime);
ini_set('session.gc_maxlifetime', $loginTime);
session_save_path($sessDir);

session_start();

I then logged in. The session storage directory gets a new file with the session id. The browser still gets a cookie issued and it's expiration is 30 days away(yay!)

However, my very simple authentication system is no longer registering the login and it loops right back to the index with the anonymous setting flagged.

I'm not sure where to go from here in regards to troubleshooting. The cookie is getting issued, but it no longer is respecting it.

Here's my authentication ifelse:

if(!session_is_registered('myusername')){
	$_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
	header("location:user.php?action=login");
}else{
	echo("
logged in stuff");
}

This worked before the change in the change listed above. Do I need to alter my check to work with the new session setup?

thanks,
json

schwim

Hi there,

Problem solved by being less of a dolt. I hadn't made the proper changes to the login system and it was not using the new settings.

Quick question though: Will PHP's garbage collection function clean up the cookies in the new directory, or do I need to script a way for it to happen if it's outside of tmp?

thanks,
json