Php flat file login cookie

[jasonyo]

I really need some help with my game website, www.freedomodds.com/jasonyo, and its login. I just need an easy code to add to my already complicated flat file login code, so that it doesnt log out the user everytime they exit the browser. thanks =]

Edit-Im glad to see so many people posting on this question...

[root]

you can set a cookie.

I assume that at the moment you're setting a session cookie, I'll see if I can dg out some code for this, though it's been a while wince I wrote any logon scripts.

[burn420]

Well it has been a few days... as the dude above me said... Sessions... I wrote a php script for 3 different login environments, in only 225 lines... It's pretty easy to do a login script... But if your gonna use straight cookies... its not hard to do that either... Honestly I don't use the cookies for anything other then the session id... put the rest on your server not the client side... More secure that way...

[Daeva]

When the user log's in, you should create a session variable (it's very inefficient and insecure as others mentioned to save a lot of session information in a cookie). Of course, sessions will expire if they close the browser window, so what you could do is something like this:

PHP Code:

<?php
   //include files
   session_start();
   if(isset($_SESSION['userName'])) {
       // We're good to go, do nothing
   } else {
     if(isset($_COOKIE['UN']) { // if we find the cookie on their machine
       if (md5($yourUserNameVarialbe) == $_COOKIE['UN']) { // compare the md5 of the current entered username and the md5 of the cookie
         $_SESSION['userName'] = $yourUserNameVariable;
       } else {
         $_SESSION['userName'] = "yourUserNameVariable";
         // set a cookie with encrypted data that expires in 1 day
         setcookie("UN", md5($_SESSION['userName'], time()+86400);
       } // end if/else
     } // end if/else
   } // end if/else
?>

This isn't a complete code listing, but I just wrote it so you get the idea of the logic involved. You can add any bells and whistles to it that you want.

Just as a side note, one little GOTCHA is to make sure that you print nothing to the screen before you call setcookie, otherwise it will fail (because the response has already been sent by the server, which is the time when cookies are sent).

I know the code isn't perfect, but my goal wasn't to write a whole session and cookie management script. There are other factors to consider, such as:
1.) When you md5, there is no "reverse" md5. You can only go to md5 and compare, not from and compare. You might want to consider storing the username in plain text and use the unique php session id all within the cookie.
2.) What is a safe amount of time to save the cookie?
3.) Would it be a better idea to manage saved sessions via IP Address of the client's computer and save that in a database.

Just some things to consider, hope this helps.

[vampist]

I would advise reading up on php sessions and not using that code above.
Don't use cookies let php use the cookies. Only set the session variables.

the only cookie you should set yourself is the users username so next time they log in they won't have to type it again.

Not to say that the code above isn't OK I would just advise looking it over.

[burn420]

I would agree with Vampist... Also I would recommend using sha1 for your password encryption... something easy would be :

Quote:

if (!isset($_SESSION['UserName'])) {
if (isset($_POST['Signon'])) {
$UserName = $_POST['UserName'];
$Pass = sha1($_POST['Pass']);
//Check to make sure it is correct
if (Login == false) {
echo "Wrong UserName";
LoginBox();
}
else {
LoggedInBox();
}
}
else {
LoginBox();
}
}
else {
LoggedInBox();
}

Quick psedo code that would almost work lol...

[root]

Quote:

Originally Posted by Daeva

Just as a side note, one little GOTCHA is to make sure that you print nothing to the screen before you call setcookie, otherwise it will fail (because the response has already been sent by the server, which is the time when cookies are sent).

I think that you can get around this either by setting output buffering to on using the php.ini file or by called in the ob_start() function at the start of the file.

I don't currently have an environment setup to test this, so you'll have to readup on it yourself.