jimfog

Your explanation about the token was very good. I just want to focus a little on the multiple persistent sessions issue.What is the rule of thumb today, should I design the persistent login mechanism(meaning a separate table in the database) taking into considerationthat the logins will be taking place in more than one computers. I have not the slightest clue about the above...What is your personal opinion?

If they have multiple persistent sessions then you need a separate table.

What do you mean multiple persistent session-can you give an example please when this can occur.

And make sure to not store the plain-text random token, since it is password-equivalent in allowing access to your system then it needs to be stored as a hash.

Regarding the token, this is going to be generated by the uniqid function(that is my intention-probably)-this, by definition is NOT plain text, unless you are suggesting that I hash it ANYWAY.

storing it in user table should be sufficient. as each user can have only one remember token (if you are planing to remember user in only one machine)

So, let me if understood correctly-and please say so-the key/random number of the cookie, should be stored you are saying in the user table, where also the password is found.

Since we will be using the username after all I have to make the following question. Now, I am using a table named users where I store relevant info(password etc...) From the above discussion I understood that a table must exist where the cookie data will be compared with the table data where the username will be stored. SO, in essence, we are talking here 2 tables having the username-or is it maybe better to have a foreign key(in the table against cookie data will be compared)that will point to the username table? This question, relates to the db schema I should follow to achieve what I want.

I have a table where a column stores the output of a uniqid-meaning a random number that every time the function is called, it is different. I have set this to be the primary key of the table. Do I need to set it AUTO INCREMENT also? Or do you think maybe is better to create a separate column named primary and set this to auto increment?

Οκ...I will proceed with the code and If I am stuck I will post here again...thanks.

Ok...so the value of the cookie(as I understand) will be an encryption of the username plus another hashed key.And I am going to compare this with the username in the database, I suppose the username will be maintained in the db in a regular form-non encrypted. The next question is this:How am I going to pull the username from the cookie, which as you said must be encrypted?How am I going to decrypt the username that is found in the cookie? Example here would be better. I am describing above the first step of the whole process, but let us focus on it for now.

I finally used fetch_object() which did the job after all.

I get the same error again: Warning: mysql_fetch_array() expects parameter 1 to be resource, object given in and plus that in the browser i see the the word null printed. No results so far. Just to remind you, here is the sql statement I want to run:

 $result=$conn->query("SELECT username FROM `hairdressers` WHERE id=1");

why var_dump is needed? I run the code below:

echo mysql_fetch_array($result);

and I got the following message: Warning: mysql_fetch_array() expects parameter 1 to be resource, object given in . That happens of course because mysql_fetch_array does not work on objects. Is that the reason you I should use var_dump-to overcome the above issue?

I am trying to echo the result of a select statement, but I cannot, here is the statement:

$conn = db_connect();  $result=$conn->query("select username from hairdressers where username='".$username."'");echo $result;

and here is the message I getObject of class...could not be converted to string. What should I do to convert the object into a string and subsequently print it to the browser?

when you check a existance of cookie you check that token against database like thescientist said. and prepare session data at same place if credentials match, before the redirection. remember cookie is set that does not mean that the user is authenticated.

I am trying, to do this now, just I want some help on the coding

The thing is if cookie is set you will again set the session variable and then redirect to the main page.

Exactly right, this is what I am trying to achieve Here is some code-not all of it, do not want to overload you with code that might not be useful in our discussion:

    if(isset($_COOKIE['cookiename'])){header("Location: adminmember.php");}    if(!empty($_POST['remember']))	 {$timestamp=time();	 $identifier=uniqid();	   uniqid_to_db($identifier,$timestamp);	  setcookie('cookiename', $identifier, time() + 60 * 60 * 24 * 7);   

The first if statement checks if the user's PC has a cookie and then redirects,of course, here the code for checking the credential is missing(with the database) plus that it does not assign a value to the session array so that it can be transferred to adminmember.php. The second if statement just sets a cookie if the user has checked the "remember me" option in the login form(not shown here).I just need to set a session variable based on the user's name in that first IF statement so that this can be passed later to adminmember.php. The above implies "pulling" the username from the cookie, for security reasons though, I have not placed the username in the cookie, just a random number.It seems that using a hashed username in the cookie, and checking it against the db, is the only way to achieve what i want-and having the session work in adminmember.php. Comments;.

this is the new statement-correct I think:

INSERT INTO session(randnumber) VALUES ('gg');

Randnumber is the second column of a table, in which the first one is called timestamp.I run the above statement at phpMyadmin and I got the following message:

#1364 - Field 'timestamp' doesn't have a default value

the gg above is just for testing, despite I target the the Randnumber column, I get a message that refers to the timestamp column.Both columns are of the varchar type. WHat is wrong here?

This is the code that redirects the user if a cookie is found in its system:

if(isset($_COOKIE['cookiename']))    {    header("Location: adminmember.php");}

The code works, the problem is that when the user reaches the above page session is useless because not a variableis assigned to the session array, and that happens because, the code which does that, is located in index.php and it IS SKIPPED if the cookie is found. The redirection code above is found in index.php,if a cookie is not found, then the login form appears along with code the assigns the username to the session array,if the form is successfully completed. But all of the above is skipped(if the user is a returning visitor,something that is tested with the code in the beginning of the post), so no variable is assigned to $_SESSION. What can I do fix it?

if we disable the collector, are error messages going to output?

So...I will not see any error message I mean, the garbage collector will do its job quietly in the background.

Suppose, we assign a string to a variable $xand then, afterwards we assign another,different string, again to variable $x. Is the first value, the one we assigned at the beginning, collected by the PHP garbage collector?

That's fine, you can break your code up using include files if you want to keep things physically separated.

Thanks for the endorsement, though.

One correction the user will be redirected to the second page, member section, no form there or validation stuff.

OK...now that it more clear here is my plan-and tell me if it sounds good. In one page I will put the form, with validation functions, and html output(members section)-in this page setccokie will be called if the user ticked remember me box. If a returning visitor comes here, as this will be index.php, he will be redirected the page described above.And... A second page(member's section) will again contain code relevant member's, same as above. The above is a lot of code to put in one page.Comments....?

Hello, As in login page with remember me feature. If user successfully logged in the system then you will definitely redirecting user to any other page.

I was trying to make them fit everything in the same page-maybe what are you proposing is better

You can not use setcookie before header(location; index.php). It should be after header().

Are you sure about that? Session start and setcookie I think they go, before headers, unless you are referring to the function header. Thanks

This is the code in a more compact/easier to read form:

if (isset($_POST['username']) && (isset($_POST['password']))) {	  if(!empty($_POST['remember']))	  { $conn = db_connect();		 $identifier = uniqid();		 uniqid_to_db($identifier);		 setcookie('cookiename', $identifier, time() + 60 * 60 * 24 * 7, '/', '');    }			  if (empty($_POST['username']) && (empty($_POST['password']))) {			 throw new Exception('Ουπς, δεν συμπληρώσατε τα στοιχεία -πίσω στην φόρμα λοιπόν για να τα συμπληρώσετε.');		 } else {			 $username = $_POST['username'];			 $passwd = $_POST['password'];			 if (login($username, $passwd)) {				 $_SESSION['valid_user'] = $username;				 output_header('output_header_list', $username);	 ?>						 <div id="cust_icon"><img src="Images/administrator_40.png" alt="πελάτες" /></div>				 <?php				 //output_customers();				 output_buttons();				 ?><div id="leftcolumn" align="center">				    <div id="calendar_div">				 <?php output_leftside_cal(date('n', strtotime($newdate)), date('n', strtotime($newdate)), date('Y', strtotime($newdate))); ?></div>	 				 <?php output_leftbuttons(); ?>					   </div>						  					   <div id="timeslots">				 <?php output_day(); ?>						    </div>			 <?php			 }		 }	 }

The above though has a problem with the headers, as you see, since setcookie is called after the headers. So, the problem, is how, in essence, how am I going to split the code effectively, half above the headers, and half below(the html output). What makes it difficult is, the fact that, the code above is a big IF statement(whether the user filled in the form) and if I do not splitit successfully the logic will be ruined. I think, in this post, I articulate the problem much better.

Now it works...the original problem remains though, Let me do some tests, play around with the codeand I will get back If I hit a "Wall".

Are you accessing your site over HTTPS? You're telling it to only send that cookie over a secure connection.

Oh.....d..., what i was thinking?It is on localhost, I will remove that "true" and try again-I will tell if it works or not.

before proceeding at the heart of the issue, this code below does not work:

   if (isset($_COOKIE['cookiename'])) {	    echo 'hi';	 } elseif (!empty($_POST['remember']))	 {   $conn = db_connect();		 $identifier = uniqid();		 uniqid_to_db($identifier);		 setcookie('cookiename', $identifier, time() + 60 * 60 * 24 * 7, '/', '', true);	 }?> 

After setting the cookie, and the visitor coming for the second time in the site, I should geta hi string and I do't.I used fiddler, and saw that a cookie was sent, with the above name.The below statement:

isset($_COOKIE['cookiename'])

doesn't check if the specified cookie is in the user's PC?