Using cookies to remember a login

I would like to use cookies to remember a login.

I know how to use sessions but not cookies.

Do you use both at the same time?

If you want to post a brief example I would really dig that.
burnedfacelessAsked:
Who is Participating?
 
Julian HansenCommented:
I know how to use sessions but not cookies.
Sessions use cookies.
The session ID (most of the time) is saved to a cookie.

All you do on the server is save your session key (you need one for a login - no matter what you do - a unique key that links the user to server side state) to a cookie like so (setcookie())
define('SESSION_NAME','WhatYouWantYourCookieValueToBeCalled');
// REPLACE WITH YOUR LOGIN FUNCTION
$session_key = loginUser($username, $password);

// VALID LOGIN?
if ($session_key) {
  // SET THE COOKIE
  set_cookie(SESSION_NAME, $session_key, time() + 3600, '/');
}
else {
  // handle login failure here
}
// NOTE: NO BROWSER OUTPUT TO HAPPEN BEFORE HERE

Open in new window

On protected page
// CHECK IF COOKIE EXISTS AND GET IT IF IT DOES
$session_key = isset($_COOKIE[SESSION_NAME]) ? $_COOKIE[SESSION_NAME] : false;

// NO KEY - NOT LOGGED IN - BOUNCE TO LOGIN PAGE
if (!$session_key) {
   header('location: login.html');
}

// IF YOU GET HERE - USER SESSION IS VALID
// OPTIONALLY RESET THE TIMEOUT ON THE SESSION
set_cookie(SESSION_NAME, $session_key, time() + 3600, '/');

// NOTE: NO BROWSER OUTPUT TO HAPPEN BEFORE HERE

Open in new window

NB: You must not do anything that will result in output being sent to the browser before the above code completes otherwise the setcookie and redirect (header()) will fail.
0
 
burnedfacelessAuthor Commented:
That was excellent - I have one more question - if I want the user to stay logged in for a year

Then I multiply time() * 60 * 60 * 24 * 365 correct?


Thanks - Google was giving me some really bad old examples from early PHP 5
0
 
burnedfacelessAuthor Commented:
Awesome man disregard my last question
0
 
Julian HansenCommented:
You are welcome.
0
 
Julian HansenCommented:
Just as an addendum to my answer - to properly determine user login state it is a good idea to validate the session token - in other words checking for existence alone is not good enough so,
// CHECK IF COOKIE EXISTS AND GET IT IF IT DOES
$session_key = isset($_COOKIE[SESSION_NAME]) ? $_COOKIE[SESSION_NAME] : false;

// NO VALID KEY - NOT LOGGED IN - BOUNCE TO LOGIN PAGE
// SPECIFICALLY CHECK THAT THE SESSION KEY IS VALID
// DONT JUST CHECK FOR EXISTENCE
if (!isSessionValid($session_key)) {
   header('location: login.html');
}

// IF YOU GET HERE - USER SESSION IS VALID
// OPTIONALLY RESET THE TIMEOUT ON THE SESSION
set_cookie(SESSION_NAME, $session_key, time() + 3600, '/');

// NOTE: NO BROWSER OUTPUT TO HAPPEN BEFORE HERE

Open in new window

isSessionValid is a custom function that would be specific to your user authentication scheme.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.