Would This Login Be Ok?

[MrFish]

I'm trying to make a login that will remember when you are logged in. Sessions don't last when you leave the website and cookies aren't safe (so I've been told) so would this work?-

setCookie("uesrname", $_SESSION["username"], time()*24*60*60*365);

Edit: Sessions die when you leave the page right? I made a login script that used sessions and the session won't die when I leave. Is this new?

[justsomeguy]

Sessions use temporary cookies. Some browsers may delete the temporary cookies for a domain when you just go to another domain, but most of them will only delete them when you close the browser. Temporary cookies definitely do not get deleted when you go to another page on the same domain, that's specifically what sessions are for. The example you're showing is just setting a cookie, what questions do you have about that?

[MrFish]

Well the value of the cookie is a session. I'm trying to get the login to remember the user but I'm not sure of the technique on doing that. I usually like trying to make my own technique, but on something like this I wanted to know what most people did. How I thought of it was-

[before the html tags on every page]If $_SESSION['username'] isn't set then   check if the visitors ip exists in the database	  if not, do nothing.   if true	  see if the "logged" field is true (this is set when you log in. And set false when you log out).		 if false, do nothing		 if true			set a session to the username that corresponds to the ip address.	  end.end.

If you're saying, "wtf is this", I call it concept coding. lol (aka, lazy coding)But if someone had multiple users then they would be screwed.

[justsomeguy]

That's generally referred to as "pseudo-code".You're trying to re-invent a session. Just use the session. You don't need to duplicate the data in other cookies, just use the session to track who is logged in, that's what most people do. If the session expires, they need to log in again. I have some of my applications send ajax requests out periodically to make sure the session never expires, that works fine also. I can leave one of my applications open over night using "temporary" sessions and still be logged in when I come in the next day.It's generally not a good idea to keep track of who is logged in based on IP, because several users can have the same IP or one user's IP can change, and it's a problem keeping track of who is logged in using the database because it can get difficult to reliably determine when someone has actually logged out. If you want to track who has an active session, you can use a custom session handler like this one:http://w3schools.invisionzone.com/index.php?showtopic=9731That will save session information in the database instead of in the default temporary files. You can expand the session table to keep track of specific things you want to be able to look up like the user ID. Right now it will just tell you how many users have been active within a certain number of minutes, you can expand that to also track who is active, not just how many.

[MrFish]

I read your tutorial but it's beyond my level of understanding. hahaAnyway. I think I got it, I was brainstorming and came up with a solution!Instead of storing a username cookie. Store a username AND password cookie! SO SIMPLE ><

if username session doesn't exist   if $_COOKIE['username'] exists	  check if password exists		 if it does			validate if username and password <3 each other			   if it does				  make the the username a session.			if not			   wtf hacker?		  if not			 same ^	  if not		 ah wellz. You should login though :Sif not   same same same same ^endendendend?end??idk

This caused me days of frustration.

[justsomeguy]

Be careful about storing passwords in cookies (especially username/password pairs) - cookies are just plain text files. There's no security involved with a cookie, if you want to encrypt the password you need to do that manually.