Solved

after login, stay logged in

Posted on 2013-06-10
5
157 Views
Last Modified: 2013-06-12
how to set a cookie
and have a cookie be a user_id

for example

select * from users where user_id=4
select * from users where user_id='.$_cookie['user_id'].'
0
Comment
Question by:rgb192
  • 2
  • 2
5 Comments
 
LVL 18

Assisted Solution

by:Matthew Kelly
Matthew Kelly earned 167 total points
ID: 39236389
Using cookies to store user_id information would be a huge security flaw because cookies can so easily be changed on the end user system. Most browsers allow for cookie manipulation and so a user could create a cookie and change the "user_id" on to whatever ID they wanted.

Is there a reason you couldn't use sessions? http://php.net/manual/en/features.sessions.php

This would store the information on the server and keep it from being manipulated on the end user machine.

Doing the cookie is easy, examples here, but not recommended for login information:
http://www.w3schools.com/php/func_http_setcookie.asp
http://php.net/manual/en/function.setcookie.php
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 333 total points
ID: 39236521
$_cookie['user_id'].'
Possible problem here... PHP variable names are case-sensitive.  $_cookie != $_COOKIE.

This article shows how to do everything associated with the question.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

Sessions expire very "soon" and that is why there is a "remember me" feature in the article.  After you have read it over, please post back if there is anything you do not understand.

best, ~Ray
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39239761
Ok, definitely follow Ray's article.

To further point out the security issue with saving the user id to a cookie; Ray's code uses a hash in the cookie, not the user_id, to prevent someone from just guessing a user_id's of other user.
$uuk = md5($uid . $pwd . rand());
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 333 total points
ID: 39240715
As background information that may help understand some of the nuances of using cookies, this article could be helpful.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

If you want to reduce the risk that a client will tamper with a cookie, you can do something like this.

<?php // RAY_cookie_safety.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE
// TO REDUCE THE RISK OF COOKIE TAMPERING


// A DATA DELIMITER
$dlm = '|';

// YOUR OWN SECRET CODE
$secret_code = 'MY SECRET';

// A DATA STRING THAT WE WANT TO STORE (MIGHT BE A DB KEY)
$cookie_value = 'MARY HAD A LITTLE LAMB';

// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET
$cookie_code = md5($cookie_value . $secret_code);

// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING
$safe_cookie_value = $cookie_value . $dlm . $cookie_code;

// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"
setcookie('safe_cookie', $safe_cookie_value);



// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK SOMETHING LIKE THIS ON THE BROWSER
// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181
// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP



// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH YOUR SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}
else
{
    die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');
}




// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE
$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);

// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}

Open in new window

Best to all, over and out, ~Ray
0
 

Author Closing Comment

by:rgb192
ID: 39241502
these were answers I used.

and thank you for teaching me about finding a corrupt cookie
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
This article discusses four methods for overlaying images in a container on a web page
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question