[RESOLVED] Advice Needed on Sessions/Forms

everythingis

I've been reading & watching tutorials about creating sessions for Registration & Log In forms but there seems to be several different ways or methods on how to set them & create security againt SQL injections.

It seems that because different people do it different ways, I don't know if it's better to combine different methods into one script, or if any one of the methods I've seen are sufficient on their own without needing to mix & match.

Is there a good reference for getting all these in one tutorial that anyone knows about? Here are the things I want to accomplish:

1) Register user & require verification through an activation URL sent to Email.

2) Log In - Utilizing a "remember me" checkbox so user does not have to log in each visit & redirects to member page.

3) Log In - Ensure that activation email has been loaded before allowing to log into site.

4) Set sessions for all pages on the site.

I have a few of these almost done, but I just want to make sure I'm doing them the best way.

I think I've confused myself because I started mixing & matching & I can't get a handle on what I can edit out, or what I still need to include.

LiamBailey

We can't tell you if you have done it the best way unless we see what way you have done it. Also we have no way of knowing what you have read and what you haven't.

Encrypting passwords using md5 and sha1 is a good idea, and then using those passwords to access everything in the db, like profile information etc, i.e.

$password = $_COOKIE['password']; // Cookie set after login successful,
$q = "SELECT * FROM DB WHERE Password ='$password'";

I always have the approval as a DB field, Approved Yes/No.

bradgrafelman

LiamBailey wrote:
Encrypting passwords using md5 and sha1 is a good idea

Except that neither of those are encryption algorithms... and an unsalted MD5 hash (or even salted, perhaps) isn't really secure by any standards anymore.

You'd also not want to do something like:

$password = $_COOKIE['password']; // Cookie set after login successful,
$q = "SELECT * FROM DB WHERE Password ='$password'";

else you're leaving yourself vulnerable to SQL injection attacks.

everythingis

Here's my Registration Script.

Below the code is my form. I'm not sure if I need to create a hidden field to capture the user_id for the DB, or if it automatically gets set when I reference it into my mysql query.

Also, I'm getting errors when I try to create a file folder for my members photos, so I commented out that section. I can't seem to get that working yet.

<?php


$errorMsg = "";
$firstname = "";
$lastname = "";
$bmonth = "";
$bday = "";
$byear = "";
$email = "";
$username = "";
$password = "";
$password_verify = "";
$country = "";
$gender = "";

// This code runs only if the form submit button is pressed
if (isset ($_POST['firstname'])){



$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$bmonth = $_POST['bmonth'];
$bday = strlen(trim($_POST['bday'])) < 2 ? '0'.trim($_POST['bday']) : trim($_POST['bday']); 
$byear = trim($_POST['byear']);
$email = $_POST['email'];
$username = $_POST['username'];
$password = $_POST['password'];
$password_verify = $_POST['password_verify'];
$country = $_POST['country'];
$gender = $_POST['gender'];
$humancheck = $_POST['humancheck'];


$firstname = stripslashes($firstname);
$lastname = stripslashes($lastname);
$bmonth = stripslashes($bmonth);
$bday = stripslashes($bday);
$byear = stripslashes($byear);
$email = stripslashes($email);
$username = stripslashes($username);
$password = stripslashes($password);
$password_verify = stripslashes($password_verify);
$country = stripslashes($country);
$gender = stripslashes($gender);

$firstname = strip_tags($firstname);
$lastname = strip_tags($lastname);
$bmonth = strip_tags($bmonth);
$bday = strip_tags($bday);
$byear = strip_tags($byear);
$email = strip_tags($email);
$username = strip_tags($username);
$password = strip_tags($password);
$password_verify = strip_tags($password_verify);
$country = strip_tags($country);
$gender = strip_tags($gender);


// Connect to database
include_once "includes/scripts/connect_to_mysql.php";



$emailChecker = mysql_real_escape_string($email);
 //Database duplicate e-mail check setup for use below in the error handling if else conditionals
$sql_email_check = mysql_query("SELECT email FROM member_profile WHERE email='$emailChecker'");
$email_check = mysql_num_rows($sql_email_check); 

 // Error handling for missing data
 if ((!$firstname) || (!$lastname) || (!$country) || (!$bmonth) || (!$bday) || (!$byear) || (!$email) || (!$password) || (!$password_verify)) { 

 $errorMsg = 'ERROR: You did not submit the following required information:<br /><br />';

 if(!$firstname){ 
   $errorMsg .= ' * First Name<br />';
 } 
 if(!$lastname){ 
   $errorMsg .= ' * Last Name<br />';
 } 
 if(!$country){ 
   $errorMsg .= ' * Country<br />';
 } 	
 if (empty($bday) || empty($byear) ) {
	$errorMsg .= ' * Birth Date<br />';		
}
 if(!$email){ 
   $errorMsg .= ' * Email Address<br />';      
 }
 if(!$password){ 
   $errorMsg .= ' * Password<br />';        
 } 	
 if(!$password_verify){ 
   $errorMsg .= ' * Verify Password<br />';      
 }

} elseif (!is_numeric($bday) || !is_numeric($byear) ) {
		$errorMsg = "Please use numbers only for birthdate.<br />";
} elseif (($bday < 1 || $bday > 31) || ($byear < 1000 || $byear > 9999) ) {
		$errorMsg = "Please use valid date range.<br />";
} else if ($password != $password_verify) {
		$errorMsg = 'ERROR: Your Password fields below do not match<br />';
} else if ($humancheck != "") {
		$errorMsg = 'ERROR: The Human Check field must be cleared to be sure you are human<br />';		 
} else if ($email_check > 0){ 
		$errorMsg = "<u>ERROR:</u><br />Your Email address is already in use inside our database. Please use another.<br />"; 
} else { // Error handling is ended, process the data and add member to database



//insert the user data
//first create the unique activation id 

$user_id = mysql_real_escape_string($_POST['user_id']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$bmonth = mysql_real_escape_string($_POST['bmonth']);
$bday = mysql_real_escape_string($_POST['bday']);
$byear = mysql_real_escape_string($_POST['byear']);
$email = mysql_real_escape_string($_POST['email']);
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$country = mysql_real_escape_string($_POST['country']);
$gender = mysql_real_escape_string($_POST['gender']);

// Add MD5 Hash to the password variable
$db_password = md5($password); 


// Add user info into the database table for the main site table
$sql = mysql_query("INSERT INTO member_profile (user_id, firstname, lastname, bmonth, bday, byear, email, username, password, country, sign_up_date, gender) 
VALUES('', '$firstname', '$lastname', '$bmonth', '$bday', '$byear', '$email', '$username', '$db_password', '$country', now(), '$gender')")  

     or die (mysql_error());


// Create directory(folder) to hold each user's files(pics, MP3s, etc.)	set folder permission to 777?	
//mkdir("members/$username", 0755);





//!!!!!!!!!!!!!!!!!!!!!!!!!    Email User the activation link    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    $to = "$email";

$from = "admin@sodidwe.com";
$subject = "so.did.we registration link";
//Begin HTML Email Message
$message = 

  "Hi $firstname,

   Please complete this step to activate your new account at so.did.we.

   Click, or copy and paste the link below into your browser address bar:

   http://www.sodidwe.com/activation.php?user_id=$user_id&sequence=$db_password

   Use these to sign in to the member area after account activation:
   Username: $username
   Password: $password

   See you on the site!
   admin@sodidwe.com

   so.did.we
   where strangers become friends"   

   ;
   //end of message
	$headers  = "From: $from\r\n";
    $headers .= "Content-type: text/plain";

mail($to, $subject, $message, $headers);

//!!!!!!!!!!!!!!!!!!!!!!!!!    End Email   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

   $msgToUser = "<h2>One Last Step!</h2>
   				<p class=\"content\">$firstname, thank you for registering with so.did.we.<br />
   				In a moment you will be sent an email with an activation link for your account.</br />
   				Please use that link to Sign In for the first time and start creating your member profile and events!</p>

			<p><strong><font color=\"#990000\">If you do not receive, or cannot activate your account, please contact the so.did.we team at: <br />
			admin@sodidwe.com.</font></strong></p> 
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />" ;

   echo "$msgToUser"; 

   exit();

   } // Close else after duplication checks

} else { // if the form is not posted with variables, place default empty variables


$errorMsg = "";
$firstname = "";
$lastname = "";
$bmonth = "";
$bday = "";
$byear = "";
$email = "";
$username = "";
$password = "";
$password_verify = "";
$country = "";
$gender = "";

 }

?>

everythingis

Here's the Activation Script once the email is received by the member:

<?php
// If the GET variable id is not empty, we run this script, if variable is empty we give message at bottom
if ($_GET['user_id'] != "") {

//Connect to the database through an include 
include_once "includes/scripts/connect_to_mysql.php";

$user_id = $_GET['user_id']; 
$hashpass = $_GET['sequence']; 
//sequence is the end of the activation URL that contains the hashed password

$user_id  = mysql_real_escape_string($user_id );

$hashpass = mysql_real_escape_string($hashpass);

$sql = mysql_query("UPDATE member_profile SET email_activated='1' WHERE user_id='$user_id' AND password='$hashpass'"); 

$sql_doublecheck = mysql_query("SELECT * FROM member_profile WHERE user_id='$user_id' AND password='$hashpass' AND email_activated='1'"); 
$doublecheck = mysql_num_rows($sql_doublecheck); 

	if($doublecheck == 0){ 
    		$msgToUser = "<br /><br /><h3><strong><font color=red>Your Account Could Not Be Activated!</font></strong><h3><br /><br />
						Please email site administrator at [email]admin@sodidwe.com[/email] and request manual activation. "; 
	echo "$msgToUser
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> "; 
	exit();

	} elseif ($doublecheck > 0) { 
    		$msgToUser = "<br /><br /><h3><font color=\"#0066CC\"><strong>Your Account Has Been Activated! <br /><br />
    		You may Sign In anytime.</strong></font></h3>";
	echo "$msgToUser
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> ";
	exit();
	} 

} // closes first if ($GET['user_id'])

print "<p class=\"errorText\">Your account could not be activated!</p>

<p class=\"errorText\">Essential data from the activation URL is missing! Please close your browser, go back to your email inbox to the registration email, and please use the full URL supplied in the activation link we sent you.</p>


<p class=\"errorText\">If you need further assistance, please email the site administrator.</p>


<p class=\"content\">Thank you,</p>
<p class=\"content\">admin@sodidwe.com<br /></p>

<p class=\"content\">so.did.we - where strangers become friends</p>

<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> ";




?>

everythingis

sorry, forgot the code tags on that last post & I can't edit it:

<?php
// If the GET variable id is not empty, we run this script, if variable is empty we give message at bottom
if ($_GET['user_id'] != "") {

//Connect to the database through an include 
include_once "includes/scripts/connect_to_mysql.php";

$user_id = $_GET['user_id']; 
$hashpass = $_GET['sequence']; 
//sequence is the end of the activation URL that contains the hashed password

$user_id  = mysql_real_escape_string($user_id );

$hashpass = mysql_real_escape_string($hashpass);

$sql = mysql_query("UPDATE member_profile SET email_activated='1' WHERE user_id='$user_id' AND password='$hashpass'"); 

$sql_doublecheck = mysql_query("SELECT * FROM member_profile WHERE user_id='$user_id' AND password='$hashpass' AND email_activated='1'"); 
$doublecheck = mysql_num_rows($sql_doublecheck); 

	if($doublecheck == 0){ 
    		$msgToUser = "<br /><br /><h3><strong><font color=red>Your Account Could Not Be Activated!</font></strong><h3><br /><br />
						Please email site administrator at admin@sodidwe.com and request manual activation. "; 
	echo "$msgToUser
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> "; 
	exit();

	} elseif ($doublecheck > 0) { 
    		$msgToUser = "<br /><br /><h3><font color=\"#0066CC\"><strong>Your Account Has Been Activated! <br /><br />
    		You may Sign In anytime.</strong></font></h3>";
	echo "$msgToUser
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
			<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> ";
	exit();
	} 

} // closes first if ($GET['user_id'])

print "<p class=\"errorText\">Your account could not be activated!</p>

<p class=\"errorText\">Essential data from the activation URL is missing! Please close your browser, go back to your email inbox to the registration email, and please use the full URL supplied in the activation link we sent you.</p>


<p class=\"errorText\">If you need further assistance, please email the site administrator.</p>


<p class=\"content\">Thank you,</p>
<p class=\"content\">admin@sodidwe.com<br /></p>

<p class=\"content\">so.did.we - where strangers become friends</p>

<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> ";




?>

everythingis

Here's my Login Script, I think I butchered it a bit:

<?php

$msg ="";
$username = "";
$password = "";




//If username is not blank, then check database 
if ($_POST['username'] != "") {

include_once "includes/scripts/connect_to_mysql.php";

$username = $_POST['username'];
$password = $_POST['password'];
$remember = $_POST['remember']; // Added for the remember me feature

//These remove slashes for protection
$username = strip_tags($username);
$password = strip_tags($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);


// Add MD5 Hash to the password variable
$db_password = md5($password); 	

//looks in database where there is a username & password and the account has been activated
$sql = mysql_query("SELECT * FROM member_profile WHERE username='$username' AND password='$password' AND email_activated='1'"); 
$login_check = mysql_num_rows($sql);


 //VALIDATIONS
if(empty($username)){
	$msg = "Please enter your user name.<br>";
}

if(empty($password)){
	$msg = "Please enter your password.<br>";
}

if($login_check !> 0){
	$msg = "Your Login information is not correct.<br>";
}
else {
	$msg = "Welcome back $firstname, you are Signed In."
}




//if the database check is good, it creates Sessions
	if($login_check > 0){ 

	while($row = mysql_fetch_array($sql)){ 

  	  $user_id = $row["user_id"];   
 	  $_SESSION['user_id'] = $user_id;

 	  $firstname = $row["firstname"];   
  	  $_SESSION['firstname'] = $firstname;

  	  $username = $row["username"];   
  	  $_SESSION['username'] = $username;

  	  mysql_query("UPDATE member_profile SET last_log_date=now() WHERE user_id='$user_id'"); 


  	} // close while

		// Remember Me Section Addition... if member has chosen to be remembered in the system
		 if($remember == "yes"){
 			setcookie("idCookie", $user_id, time()+60*24*60*60, "/"); // 60 days; 24 hours; 60 mins; 60secs
 			setcookie("firstnameCookie", $firstname, time()+60*24*60*60, "/"); // 60 days; 24 hours; 60 mins; 60secs
 			setcookie("userCookie", $username, time()+60*24*60*60, "/"); // 60 days; 24 hours; 60 mins; 60secs
 			setcookie("passCookie", $password, time()+60*24*60*60, "/"); // 60 days; 24 hours; 60 mins; 60secs
		 }	

} 		 else {
   				exit();

		}
}// close if post

?>







<?php if(isset($msg)){?>
<tr>
	<td>
	<?php echo "<p class\"errorText\">".$msg."</p><br/>";?>
	</td>
</tr>
<?php }?>

everythingis

I also just realized that the user_id is not being included into the activation URL because it hasn't been pulled from newly created row in the database.

Will it work if I just add a SELECT FROM sql query right under my INSERT INTO? Should I make it into an if else statement if the form has been submitted, or is that not needed?

bradgrafelman

Various comments/suggestions:

Registration form:

everythingis wrote:
I'm not sure if I need to create a hidden field to capture the user_id for the DB, or if it automatically gets set when I reference it into my mysql query.
PHP doesn't automatically do things for you; it does exactly what you tell it to (and , conversely, doesn't do what you don't tell it do). I'll offer a solution to this below, though..
everythingis wrote:
Also, I'm getting errors when I try to create a file folder for my members photos
Most likely a file permissions error (though it would help if you paste the exact error). PHP has to have write permissions to the parent directory in which you're attempting to create files or subdirectories. Might want to double check that.
In your registration script, why are you applying [man]stripslashes/man to the incoming POST'ed data? You should never have to do this, unless magic_quotes_gpc has been enabled in your PHP config. If that is the case, you should make every possible effort to disable this directive (it's been deprecated for quite some time and even removed altogether in newer versions of PHP).
Instead of running a SELECT statement to verify that the e-mail isn't a duplicate, you could instead add a UNIQUE index on the email column and allow the database to maintain the data constraint. That way, you'd simply do your INSERT statement and, if it fails with error code 1062 (duplicate data for key), you could analyze the error to see if it was the key for the email column and, if so, display the appropriate error message.

The benefits of this technique become more obvious when applications grow in size. Rather than running separate queries to verify the unique constraint in several different places within your PHP scripts (e.g. registration, profile editing, etc. etc.), the constraint is handled in one place - at the database level.
After verifying that the birthday information is numeric, you could instead use [man]checkdate/man to verify that it's a valid date as well.
If you're going to take the MD5 hash of the password field, then take the hash of the original, unaltered data - don't use [man]mysql_real_escape_string/man before (or after, for that matter).
AUTO_INCREMENT fields (e.g. user_id, I'm guessing) are normally omitted from INSERT queries. If you do list them, you're supposed to use NULL for the value... but there's really no reason to list them in the first place, really.
Why are you storing the components of the birthday in separate columns? Store them in a single DATE column (since that's what the datatype was created for in the first place!).

Activation Script:

```
if ($_GET['user_id'] != "") { 
```
If $_GET['user_id'] is not set, that code will generate an E_NOTICE error message. Instead, you should verify that the array index exists before using it (e.g. by using [man]isset/man or [man]empty/man).
```
$user_id  = mysql_real_escape_string($user_id ); 
```
If the user_id column in the database is a numeric type (e.g. an integer), then you should: a) cast the user-supplied data to an (int) (or use [man]intval/man) to sanitize it, and b) do not surround the numeric value with quotes in the SQL query.
Rather than performing a SELECT after the UPDATE statement, you could simply perform the UPDATE and check to see if it matched/updated any rows via [man]mysql_affected_rows/man.
everythingis wrote:
I also just realized that the user_id is not being included into the activation URL because it hasn't been pulled from newly created row in the database.
As I said above, it's not being included in the URL because you didn't tell PHP to do so. After performing the INSERT statement in the registration script, you can use [man]mysql_insert_id/man to retrieve the value of the newly created row's AUTO_INCREMENT column value.
everythingis wrote:
Will it work if I just add a SELECT FROM sql query right under my INSERT INTO?
It might, and it might not. What would happen if you went with that approach is that you'd be creating a race condition. What if two forms are submitted nearly simultaneously, and before connection #1 can finish sending the SELECT query and retrieving the value, the other form's INSERT succeeds in connection #2. Thus, connection #1's query to retrieve the highest user_id value will erroneously retrieve the value from connection #2.

```
if ($_POST['username'] != "") { 
```
Same comment as above about validating incoming data exists before referencing it.
```
//These remove slashes for protection 
$username = strip_tags($username); 
$password = strip_tags($password); 
$username = mysql_real_escape_string($username); 
$password = mysql_real_escape_string($password); 
```
Again, why are you using strip_tags() on incoming data? Also note that the comment isn't technically correct (in fact, it's entirely incorrect for [man]mysql_real_escape_string/man, which actually adds slashes for protection).
```
$db_password = md5($password); 
```
Again, same comment as above about using an MD5 hash on the original value instead of [man]mysql_real_escape_string/man.
```
while($row = mysql_fetch_array($sql)){
```
If there is only 1 row expected to be returned for a valid login, why are you using a while() loop?

everythingis

Thanks for the help!

Register Page:
3) I thought strip_slashes would protect against an sql injection. Before the info is inserted into the database, how do you eliminate any potential hacks? If I take that out, is there something else I should be using instead?

4) I 'm not quite sure how to do the email authentication your way, so I'll have to learn that. I know how to change it in the database, but not sure how to compare that against the original email entered on the form in PHP.

I'll have to go through your post a few times & do some more reading to figure out how to implement your suggestions. A lot of this is new to me & I've seen these functions on tutorials without really understanding exactly why they were used, and what is needed & why they are or are not needed.

laserlight

everythingis wrote:
3) I thought strip_slashes would protect against an sql injection. Before the info is inserted into the database, how do you eliminate any potential hacks? If I take that out, is there something else I should be using instead?

As bradgrafelman indicated, stripslashes() is intended to undo the effect of magic_quotes_gpc being set to on. You might use it after checking [man]get_magic_quotes_gpc/man, since if the setting is off, you should not be using stripslashes() here. As you are using the MySQL extension, the appropriate way to "eliminate any potential hacks" is to use mysql_real_escape_string on string data, and cast numeric data to the appropriate type (perhaps by using [man]sprintf/man). To some extent, you appear to be doing this.

everythingis

On both my Register & Login scripts, should I remove both the stripslashes() and striptags ()? Or just the stripslashes?

And regarding the password variable, I'm guessing the reason why I'm not supposed to use mysql_escape_string for it when I set the md5 (and I'll add hashing & salt), is because it's safe regardless what the user inputs because it will be randomized into an alphanumeric value?

Oh, and on my login page, am I setting the sessions and cookies correctly? Do I need to randomize those, or is it not necessary? And is setting a cookie for the password safe, or should I remove that one?

Thanks!

I've changed the way the dates are handles, so I'll lookup the checkdate

bradgrafelman

everythingis wrote:
On both my Register & Login scripts, should I remove both the stripslashes() and striptags ()? Or just the stripslashes?

In my opinion, data should be stored in the database without disrupting it's integrity; thinks such as [man]strip_tags/man, [man]htmlentities/man, etc. etc. should only be used (if necessary) when displaying data retrieved from a database - not when inserting it.

As I've said before (if not here then I'll say it now :p), you should never have to use [man]stripslashes/man on incoming data with one exception: to reverse the affects of magic_quotes_gpc if it is enabled (in which case, you usually walk through the $POST, $COOKIE, and $_GET arrays before you do any other processing to undo the ill effects of magic_quotes_gpc).

everythingis wrote:
I'm guessing the reason why I'm not supposed to use mysql_escape_string for it when I set the md5 (and I'll add hashing & salt), is because it's safe regardless what the user inputs because it will be randomized into an alphanumeric value?

Well it won't be random, but yes, the output of the MD5 algorithm will be a hexadecimal string. Since none of those characters ([0-9a-f]) will cause problems in a SQL query, there's no need to escape the data. It certainly doesn't hurt to try to escape the output of an MD5 hash, but it's a bit of a waste of time (since nothing will be escaped).

everythingis wrote:
Oh, and on my login page, am I setting the sessions and cookies correctly?

Nothing seems wrong, although when using cookies I like to specify the domain as ".mydomain.com" so that the cookie will be sent for both http://mysite.com and http://www.mysite.com. By default, it will only apply to the domain the user visited, so if you redirect them (or they later type in the other URL) and the subdomains don't match (e.g. going from a null subdomain to "www" or vise versa), they'll be "logged out" since the cookie won't be sent.

As an example, look at how you're accessing PHPBuilder right now. If it's "www.phpbuilder.com", and you've always visited the site that way, try removing the "www." from the URL - you'll probably have to login again (or go back to "www.").

One problem I do notice is that you never call [man]session_start/man on the login page, thus session variables won't be available.

everythingis wrote:
Do I need to randomize those, or is it not necessary?

Don't know what you're referring to... randomize what? The values? The names? I can't think of anything you'd need to "randomize," so I guess the answer is... no?

everythingis wrote:
And is setting a cookie for the password safe, or should I remove that one?

If you removed the password from the cookie, how would you authenticate returning visitors? Solely by the username in the cookie? What if I altered the headers my browser was sending and used different usernames?

For sensitive data like that, I like to use sessions so that the data is server-side only. Because of this, the user can't maliciously tamper with (or even see) the data. You can always modify the session cookie to persist longer than the current session by using [man]session_set_cookie_params/man. You might even use [man]session_name/man to give the session a unique name so that other scripts won't disrupt the session.

everythingis

I'm using my login, register, and activation files as includes into my template, so I have the session_start() in my main page, and these scripts get called in depending on which pages need them. It makes it easier for me to read & manage them.

I saw a tutorial where someone took the session and cookie variables and added something like rand() to them. I can't remember exactly if that was the function. I'll just ignore that idea if it's not important.

Thanks for the cookie ideas.