I'm working on a login form using sessions and cookies. I'm using $_SESSION to hold the users name. I primarily use this to display the users name on screen (Ex. Hello User Name). I use the cookie merely a mechanism to allow for a more persistent login. If the user closes the browser, the cookie sits tight until they visit the site again.
There is one section that I need block access unless the user is signed in. If the user is signed in they may view these pages as any other.
If a user attempts to view the restricted pages the possible scenarios I'm coming up with in terms of match/mismatch of the session and cookie are:
Session - Yes, Cookie - Yes -> Do nothing, grant access as normal
Session - No, Cookie - No -> Send to sign in
Session - Yes, Cookie - No -> Destroy session and send to sign in
Session - No, Cookie - Yes -> Search for cookie in user table, if exists auto login
Session - No, Cookie - Wrong -> Remove Cookie, go to sign in
Session - Yes, Cookie - Wrong -> Destroy session, go to sign in
Login function
I use the standard check user name and password in database. If they match setcookie as random unique id and away they go.
Validate function
I add this function to any page that requires sign in before viewing. This function would set up to handle the above scenarios and act accordingly.
My brain is turning to goo as I've been trying to get things sorted. So, I thought I'd just post what I've come up with here before I go any further. Any help is as always appreciated.
