justsomeguy Posted August 15, 2012 Share Posted August 15, 2012 There's a good thread here describing various aspects surrounding logging in users:http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication#477579 Link to comment Share on other sites More sharing options...
jimfog Posted August 21, 2012 Author Share Posted August 21, 2012 You need to set the session cookie to expire with the session data itself. Otherwise, it expires when the browser closes. You said "when the browser closes". Does the above include also, when the tab closes? Link to comment Share on other sites More sharing options...
birbal Posted August 21, 2012 Share Posted August 21, 2012 no it does not include tabs, session works with each process browser starts. closing tab does not close the process , closing the browser does. Link to comment Share on other sites More sharing options...
jimfog Posted August 23, 2012 Author Share Posted August 23, 2012 There's a good thread here describing various aspects surrounding logging in users:http://stackoverflow...tication#477579 Ι read this thread, not all of it, just the section about the "remember me" functionality-the article is very good but it only deals with the theory. I need to know(coding, functions...etc) how am I going to set a persistent cookie in the user's browser so-as stated above-he will be automatically login as he visits the site. Link to comment Share on other sites More sharing options...
birbal Posted August 23, 2012 Share Posted August 23, 2012 (edited) It is done by setting another cookie using setcookie() where yyou can set the lifespan of your cookie. that cookie will hold hashed key of mixed data like username,time of it sets,partial password etc but the hash should have different value from the hashed password. in the database you will have two columns one for that remember me token and one for timestamp of it when it was set. in your login script you will check if user logged in or not. if not then you will look for the existance of the cookie if it does exist query the value in database and pull the timestamp of the token. you will then compare the timestamp with current timestamp, if it is in certain amount of time make your user authenticated. When user log out make sure to delete the tokens in database and also the cookies.The link you just read has information about the risks of using persistent cookie for authentication. It is just like password, still it is risky against cookie theft. Our browser has by default a feature called "remember me" which serve the purpose well with better security. http://php.net/setcookie Edited August 23, 2012 by birbal Link to comment Share on other sites More sharing options...
jimfog Posted August 23, 2012 Author Share Posted August 23, 2012 I just saw briefly the tutorial in php.net about setcookie-before proceeding and setting a persistent a cookie I want to make a question. According to the tutorial the function should be called before any output,meaning the cookie should be sent before the browser starts the output.So far I used a temporary cookie(session expired upon closing of the browser), I start the session with the function session start(which also sends a cookie to the browser), I place the function AFTER the head section of the site, nonetheless, so far I have not get any error message about the cookie being sent after output begun. Does this restriction about sending the cookie before the output holds only for the setcookie function? Link to comment Share on other sites More sharing options...
birbal Posted August 23, 2012 Share Posted August 23, 2012 session cookie is also a cookie. every cookie goes with header so once header sent when output started in browser there is no way to send back the cookie on the same request. this rules applies to every cookie , session cookie even ordinary cookie. The reason you are not getting any error could be you are using output buffering or your php.ini setting is set to implicitly enable output buffering. Link to comment Share on other sites More sharing options...
jimfog Posted August 23, 2012 Author Share Posted August 23, 2012 The reason you are not getting any error could be you are using output buffering or your php.ini setting is set to implicitly enable output buffering. I have not made any adjustments regarding output buffering but just to be certain here are some code example, I want you to tell me if session startis positioned wrongly: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Appointmetns24x7</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="stylesheet" href="css/admingeneral.css"/> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" ></script> <script type="text/javascript" src="js/js-code.js"></script> </head> <?php require_once 'output_functions.php'; session_start(); $logout= '<li><a href="logout.php">Αποσύνδεση</a></li>'; ?><body> According to you, judging from where I have placed session_start, I should get an error. Correct? Link to comment Share on other sites More sharing options...
birbal Posted August 23, 2012 Share Posted August 23, 2012 it should be above all, above DOCTYPE declaration. yes you should get an error. (assuming you have enable display_error and error_reporting to E_ALL) if you still can use session and your code works properly it is the "output_buffering" which is doing this. you can check your php.ini for this directive and if it is enabled.it could be enabled previously. Link to comment Share on other sites More sharing options...
jimfog Posted August 23, 2012 Author Share Posted August 23, 2012 (edited) I found this,related to the output buffering: output_buffering = 4096 Am I correct to assume that it is ON and that is the reason I do not get the error message? Yes, this was the reason after all I did not get the error-output buffering. Now I get the error. Edited August 23, 2012 by jimfog Link to comment Share on other sites More sharing options...
birbal Posted August 23, 2012 Share Posted August 23, 2012 output_buffering = 4096It is the maximum buffer size for outputbufferhttp://php.net/manual/en/outcontrol.configuration.php Link to comment Share on other sites More sharing options...
jimfog Posted August 27, 2012 Author Share Posted August 27, 2012 (edited) You need to call that function before you call session_start on every page, if you've already started the session on another page without changing the cookie parameters I don't think it will have any effect to try and do it later.. Is in it enough to use setcookie() at the first page the user visits(usually the home page) and then subsequently using just session start to the rest ofthe pages of the site? Using setcookie more than once is like sending multiple cookies to the browser-is it OK to do that? It is done by setting another cookie using setcookie() where yyou can set the lifespan of your cookie. that cookie will hold hashed key of mixed data like username Regarding the above statement. How am I going to use setcookie to hold the username, in the php manual it mentions things, like name,value,time span etc...but where exactly does username "goes" Edited August 27, 2012 by jimfog Link to comment Share on other sites More sharing options...
birbal Posted August 27, 2012 Share Posted August 27, 2012 Using setcookie more than once is like sending multiple cookies to the browser-is it OK to do that?you can set as many cookies as you want. but they have to sent before any outputs have made.setcookie() is not responsible for session cookie. session_set_cookie_params() is the options for handling session cookie. when you use session , session cookie handle automaticly with the help of the parameter you set. so session_set_cookie_params() should have use before you use session and before you use session_start()Regarding the above statement. How am I going to use setcookie to hold the username, in the php manual it mentions things, like name,value,time span etc...but where exactly does username "goes"the 'value' will hold the hash of username and otherthings which will identify a user. cookie works with name value pair. Link to comment Share on other sites More sharing options...
jimfog Posted August 27, 2012 Author Share Posted August 27, 2012 (edited) setcookie() is not responsible for session cookie. session_set_cookie_params() is the options for handling session cookie. when you use session , session cookie handle automaticly with the help of the parameter you set. so session_set_cookie_params() should have use before you use session and before you use session_start() Then if setcookie() is not used for the session, what is it used for? Is it maybe the setcookie sends ONLY the cookie?Setcookie has the expire property and session_set_cookie_parameters has the lifetime property. Are these properties the same? Difficult to understand it from what the php.net manual says. You say also that "value" will hold the hash of the username-yes, but the "value " property is found ONLY setcookie() and NOT in session_set_cookie-params. Edited August 27, 2012 by jimfog Link to comment Share on other sites More sharing options...
birbal Posted August 27, 2012 Share Posted August 27, 2012 (edited) Then if setcookie() is not used for the session, what is it used for? Is it maybe the setcookie sends ONLY the cookie?yes it is for only cookie (ordinary) Are these properties the same?yes You say also that "value" will hold the hash of the username-yes, but the "value " property is found ONLY setcookie() and NOT in session_set_cookie-params.cause everytime for session cookie "name" is session name you have set (eg PHPSESID by default) and value is the session id which php generates or recived.(eg some alphanumeric number) php knows what its value and what to set it for that. there is no exception for that. so there is no other option for value in session cookie params. Edited August 27, 2012 by birbal Link to comment Share on other sites More sharing options...
jimfog Posted August 27, 2012 Author Share Posted August 27, 2012 Ok, all in all, to implement the "remember me" option do I need both setcookie and session_parameters functions? And the username hash will go to setcookie. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 27, 2012 Share Posted August 27, 2012 No, you don't need both. Those cookies are just regular cookies, not session cookies. I've never seen someone use a session cookie to remember a user long-term. Persistent login cookies usually require more security than a cookie with just a session ID (that would be similar to a cookie with just a user ID, which is easy to impersonate without any extra security). Link to comment Share on other sites More sharing options...
jimfog Posted August 28, 2012 Author Share Posted August 28, 2012 Then what I am going to do in order to remember the cookie long -term,if session cookies is not the solution to it? Link to comment Share on other sites More sharing options...
birbal Posted August 28, 2012 Share Posted August 28, 2012 Then what I am going to do in order to remember the cookie long -term,if session cookies is not the solution to it? No, you don't need both. Those cookies are just regular cookies, not session cookies Link to comment Share on other sites More sharing options...
thescientist Posted August 28, 2012 Share Posted August 28, 2012 use a regular cookie, like birbal and JSG have been trying to explain to you Link to comment Share on other sites More sharing options...
jimfog Posted August 28, 2012 Author Share Posted August 28, 2012 use a regular cookie, like birbal and JSG have been trying to explain to youΟκ, the truth is that I got "lost" in this topic as to what I have to do. Regular cookies is the way to go-after all. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 28, 2012 Share Posted August 28, 2012 You actually use both. You use a session like you normally do, a session doesn't replace a persistent login cookie and vice-versa. You still use the session the way you always have, to store information related to the current session. The persistent login cookie is only needed if someone shows up who isn't logged in. You check to see if that cookie exists before sending them to the login page. Link to comment Share on other sites More sharing options...
jimfog Posted August 28, 2012 Author Share Posted August 28, 2012 So, as I have understood so far:Session cookie to "transfer" data from page to page and ordinary cookie to deploy the persistent connection mechanism. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 28, 2012 Share Posted August 28, 2012 Right. What you use the session for is not affected in any way by the presence of a persistent login cookie. Link to comment Share on other sites More sharing options...
jimfog Posted August 28, 2012 Author Share Posted August 28, 2012 AT LAST-things are clear now. Now to convert it to code... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now