cookie update problem

[jimfog]

I have set a mechanism such that when a returning visitor comes to the site he gets a new cookie and the old one is invalidated.Nothing strange here-it works OK. Apart from the above when a visitor comes to the site-a new visitor-and goes not to the home page but in another one,there is function there that also checks for cookie, and if present show member relative content-in which case a brand new cookie is assigned-, if not present show the login form. And here is the problem: If a returning visitor goes to the home page and then to the 2nd page mentioned above, a new cookie will be issued twice-which is redundant of course. What can I do to avoid the above redundant code-"I shortcut" I mean. Checking for a cookie is needed in every page of the site for that case where the user might go to a page other than the home directly. I am thinking that maybe the solution is that I invalidate the cookie only when the user "lands" only on the home page, What do you think?

[birbal]

you will check the persitant cookie only if user is not logged in. first time when user land on your page they have no session started. so persistant cookie make them authenticated and issue a authenticate session. next time inside a certain amount of timsespan if user visit again as he has session started already it wont check the persistant cookie. you should append the whole remember me code at top of every page. use not nesceraiy will land on home page. they may have bookmarked some other page of your site and they want to remember the user whenever he visits the page.

[jimfog]

you will check the persitant cookie only if user is not logged in.

How am i going to check that?By checking if session array is empty? Yes..this is the way to go I think, checking the session array. If you have something to suggest-about how I check that the user is loggined-, I am listening. Edited October 18, 2012 by jimfog

[birbal]

checking session empty or not will work but it has limitation (eg you have to store something in session for both guest and registered member. it wont work). but it is better to have a dedicated authenticated variable (boolean field) to indicate user is logged in or not. like $_SESSION['authenticated']=true;. some people check the existance of user id which was issued after successfull log in.

[jimfog]

checking session empty or not will work but it has limitation (eg you have to store something in session for both guest and registered member. it wont work).

I did not got quite got that. If someone comes and is logged out(a registered member) I will initiate session at that point plus I will issue the cookie.If guest comes, no session initiation at all- unless you are trying to say something else.

but it is better to have a dedicated authenticated variable (boolean field) to indicate user is logged in or not. like $_SESSION['authenticated']=true;. some people check the existance of user id which was issued after successfull log in.

I understood that. So besides cookie and session initiation, you mean that I have to set a variable also that will serve asan indication if user is logged in or not.

[birbal]

I did not got quite got that. If someone comes and is logged out(a registered member) I will initiate session at that point plus I will issue the cookie.If guest comes, no session initiation at all- unless you are trying to say something else.

It was just a case example. you dont necessarily have to give guests sessions. as example An application i developed need to keep track of guest so i give session to the guests and set authentication to false where as registered member got "true" . rather than that there is also other possibilities. as rule of thumb it is better to give a unit handle one specific task, it helps to keep things separate,increase maintainibility and reduce chances of breaking your application when your code grows. $_SESSION['authenticate'] will handle only check the authentication of user and nothing else.

[jimfog]

No session, does not work, because the user might be logged in but the session not started. This happens when the returning visitor goes to a page other than home-below is the code I used:

if(!isset($_SESSION['valid_user']))	{	output_login_form();  	exit;	}

I will just for the existence of cookie or not and act accordingly.

Edited October 19, 2012 by jimfog

[birbal]

because the user might be logged in but the session not started.

it is not possible if you are using session based login system. when user is logged in you are basicaly giving the a authenticate session which is not possible without starting the session. pseudocode

 if(!isset($_SESSION['valid_user']))		{		 //check the remember me token		 //if it is true update the token,make user login,give them session,redirect to destination page		 //if false show up the login form		output_login_form();  		exit;		} 

Edited October 19, 2012 by birbal

[jimfog]

it is not possible if you are using session based login system. when user is logged in you are basicaly giving the a authenticate session which is not possible without starting the session.

yes, you are right about that. I meant something else:When the user goes to a page other than the home page, despite he might have a cookie(which mean he is "logged in"-in the meaning that he does not need to enter pass/username) the session code is located in the home page only(assignment in a session array), since no session assignment takes place in the page other than home, so session is started...the previous described scheme, is wrong of course. Session array assignment must be done in every page since the visitor might go there directly.

pseudocode

 if(!isset($_SESSION['valid_user']))		{		 //check the remember me token		 //if it is true update the token,make user login,give them session,redirect to destination page		 //if false show up the login form		output_login_form();  		exit;		} 

Here is my pseudocode...I do not know if it's right one though:

if(!isset($_COOKIE['cookiename']))    {    output_login_form();    exit;    }    elseif((isset($_COOKIE['cookiename']))&& (!isset($_SESSION['valid_user'])))//this is what I was describing above{//check username against db//if correct, update cookie and start session}

What do you think about the pseudocode above?