Looking for persistent login tut/class/explanation

schwim

Hi there everyone,

I've got a script built that I'm very happy with. It does most of the stuff I need it to do and I'm getting close to wrapping it up.

One of the things I still need to do is to change the user authentication to one that allows persistent logins. I used just a basic login to get the script off the ground and am now having problems finding a tutorial or class that I can use.

I've looked at and installed frameworks like codeigniter but I really am unhappy with what would be required to move everything over for the one feature that I want. I know that if I were smarter about this feature, I would be able to alter the system to utilize the database to make what I want, but I don't understand enough about it to do so and I'm having no luck at all finding something to plug in.

Does anyone know of a system that they like to use for this or maybe know of a tutorial they could point me to? I'd be forever grateful!

thanks,
json

NogDog

If using "normal" PHP sessions via session_start(), you can make them persist by setting the desired config values for session.cookie_lifetime and session.gc_maxlifetime. (The default of "0" for cookie_lifetime means it only persists until the browser is closed.)

Note that if your application could possibly be sharing its session data directory with other apps or even other accounts (e.g. on a shared host), you may want to designate a separate session data directory for this app, so that the other apps to not "garbage collect" your session data when they run with different gc_maxlifetime settings.

schwim

Hi there Nog and thanks very much for taking the time to reply.

I'm on a shared host but even if I wasn't dealing with that issue, I'd like to build my own if possible(well, through a tutorial) simply because I'd like to have a better understanding of the dealings between a cookie and the database. I've read what basically transpires to make custom persistent login work, but don't know enough to make that actually happen yet.

I guess I could post my current login system and maybe could get assistance in converting it(or at the least have someone explain why my login system won't work).

thanks,
json

schwim

Here's my current system.

Please let me say before you look at this, I know it's completely lacking in regards to security. This was kind of a placeholder so I could get all the pages and functions working. I'm wondering if this system can be transformed into a relatively secure persistent login system.

Checking their Login:

/* get the incoming ID and password hash */
$username = mysql_real_escape_string(substr(strtolower($_POST["username"]), 0, 15));
$password = mysql_real_escape_string(substr(sha1($_POST["password"]), 0, 40));

/* Are we working with a legitimate login?  If so, give them the proper permissions. */
$query="SELECT * FROM users WHERE username='$username' AND password='$password'";
$result=mysql_query($query) or die (mysql_error());
$numr=mysql_num_rows($result);
if($numr==1){
	while($row=mysql_fetch_array($result)){
		$userid=$row['userid'];
		$username=$row['username'];
		$userperms=$row['perms'];
	}
	session_start();
	header("Cache-control: private");
	$_SESSION['access'] = $userperms;
	$_SESSION['userid']=$userid;
	$_SESSION['username']=$username;
	$_SESSION['name_first']=$name_first;
	$_SESSION['name_last']=$name_last;
	if(ISSET($_SESSION['return_url'])){
		header("Location: ".$_SESSION['return_url']);
	}else{
		if($userperms>='2'){
			header("Location: ./overlord.php");
		}else{
			header("Location: ./index.php");
		}
	}

}else{

/*Flag them as a failed login and send them back to try again.*/
session_start();
$_SESSION['access'] = "denied";
header("Location: ./index.php?content=login");

}

Authentication on page load:

/*Do the authentication boogaloo.*/
header("Cache-control: private");
if(ISSET($_SESSION['access'])){
	if ($_SESSION['access'] == "3"){
		$userperms='3';
	}else{
		if ($_SESSION['access'] == "2"){
			$userperms='2';
		}else{
			if ($_SESSION['access'] == "1"){
				$userperms='1';
			}
		}
	}		
}else{
	$userperms='0';
}

Any hope of converting this into something I can use?

thanks,
json