Newgrounds.com — Everything, By Everyone.

Ok i'll try to make this as simple as possible.
Im making a login system, and for that im making a function wich makes it possible to stay logged.

So for this purpose i want to use cookies (first time im using them, silly i know)

bassicly the procedure takes place over 3 documents.
a start.php (wrapped around all pages and contains the html headers and so forth)
a login.php (the page with the login form)
and a cookin.php (tbe page wich sets the cookie)

ok so in login.php i start a session for the login containing the user id from the database.
after setting the session($_SESSION['theuser']) it jumps to cookin.php where it sets a variable before start.php called $storecookie = 1; then in the start.php (before <html>) i have an if command called
<?php if ($storecookie == 1) { setcookie("userlogincookie", $_SESSION['theuser'], time()+60*60*24*30); } ?>

and then later down on the start.php i have
if (isset($_COOKIE['userlogincookie'])) {
$theusersid = $_COOKIE['userlogincookie'];
}
and if the page gets feeded with a $theusersid it looks it up in the db and tells the page that that user is logged in.

I did it the same way before where login.php just jumped directly to the frontpage and it then checked for a $_SESSION in the start.php instead of a cookie, and that worked perfectly (besides it logged out everytime you closed the browser ofc.)

Anyways the problem is that everytime i go to another page or close the browser it logs out again. As if the cookie didnt get stored right.

I hope someone will be able to help me with this.

Starting to think it might be server related. Because it also started to not storing sessions correct. And when i went to my server phpmyadmin it also had troubles saving the session.
So i hope its my host fucking up ^^

Still if any of you see a problem please do tell!

At 11/4/09 12:39 PM, Nishinku wrote:
So i hope its my host fucking up ^^

Certainly not the right thing to think, any way around. If so it'll likely take a long time to fix, warez your code can take minutes to fix

Why are you even using cookies here? The session system is doing a far better job than you are doing with the cookie. For example, it does not let the user tamper with the data.

At 11/6/09 01:50 AM, henke37 wrote: Why are you even using cookies here? The session system is doing a far better job than you are doing with the cookie. For example, it does not let the user tamper with the data.

Sessions close alongside the browser. And i think users should have the possibility to stay logged in instead of having to every single time.

Good idea, horrible execution. You are missing the fact that cookies are read and sent by the client. You can not trust the client with the userid to be logged in as.

The most you should do with cookies that has to do with the login system would to be "remember me" kind of thing. If they choose say, a textbox, then they will have their email (or username) stored, possibly their password, and when they view the page again after they close the browser, the cookie would embed its contents into the input area specified.

This stops them from changing it around to effect others, now, if they change it around, it only effects them self.

Ensure you have cookies enabled in your browser. Secondly, paste your full code if possible. Are you getting any PHP errors?

At 11/4/09 12:22 PM, Nishinku wrote: ok so in login.php i start a session for the login containing the user id from the database.

Don't do this. Ever. All it takes is for somebody to modify the cookie and will then be able to be logged in as any other user (granted your user ids are sequential, e.g. an auto-incremented primary key). If you really need to save their state, store a unique, non sequential string such as a session id or anything similar that cannot be enumerated.

At 11/9/09 06:03 AM, BillysProgrammer wrote: The most you should do with cookies that has to do with the login system would to be "remember me" kind of thing. If they choose say, a textbox, then they will have their email (or username) stored, possibly their password, and when they view the page again after they close the browser, the cookie would embed its contents into the input area specified.

A "remember me" function should, at most, store the username only. NEVER store the password in a cookie.

At 11/9/09 03:07 PM, Deja-Vu wrote:

At 11/9/09 06:03 AM, BillysProgrammer wrote: The most you should do with cookies that has to do with the login system would to be "remember me" kind of thing. If they choose say, a textbox, then they will have their email (or username) stored, possibly their password, and when they view the page again after they close the browser, the cookie would embed its contents into the input area specified.

A "remember me" function should, at most, store the username only. NEVER store the password in a cookie.

A lot of sites these days have a "remember me" function that stores both for an easy login, just like youtube. People who want to use this function should be aware, and most likely are, that if someone really wanted to get into your internet files and find the cookie, will do it, you cannot protect yourself from it (to a point).

The only reason why I stated that you can use it for a password is just for easy access for users. Safety is my #1 priority, but when it comes down to ease of use, your going to have to throw it out the window just a bit.

At 11/10/09 06:54 AM, BillysProgrammer wrote: The only reason why I stated that you can use it for a password is just for easy access for users. Safety is my #1 priority, but when it comes down to ease of use, your going to have to throw it out the window just a bit.

For regular sites it's probably fine, but for anything secure or that involves personal information it should be avoided. You will notice sites like Google has the remember functionality but only remembers your username, it still prompts you for your password once your session has expired.

At 11/10/09 08:22 AM, Deja-Vu wrote: You will notice sites like Google has the remember functionality but only remembers your username, it still prompts you for your password once your session has expired.

Google mail has remember me, and it remembers me for a month without needing to enter a password for that whole month?

At 11/10/09 08:22 AM, Deja-Vu wrote: For regular sites it's probably fine, but for anything secure or that involves personal information it should be avoided. You will notice sites like Google has the remember functionality but only remembers your username, it still prompts you for your password once your session has expired.

Yeah, usually large sites like that that are more prone to attackers would not keep a password cookie for exactly that reason, but since there aren't a large number of sites like that compared to how many personal sites their are, most will stick to username and password cookies for the remember me function.

At 11/10/09 09:30 AM, urbn wrote:

At 11/10/09 08:22 AM, Deja-Vu wrote: You will notice sites like Google has the remember functionality but only remembers your username, it still prompts you for your password once your session has expired.

Google mail has remember me, and it remembers me for a month without needing to enter a password for that whole month?

Im pretty sure Google mail offers the option to take that out, but I am not compeltely sure since I do not use that program. Hotmail, Google Mail, Yahoo Mail, and AIM all do the same thing because people want to get into their mail with ease, and they are not prone to attacks as often.

At 11/9/09 03:07 PM, Deja-Vu wrote: Ensure you have cookies enabled in your browser. Secondly, paste your full code if possible. Are you getting any PHP errors?

Nope, no errors.

And just to clarify for you guys, because there seems to be some confusion. I give all users an id in the database, and thats what i save in the cookie, even if you did modify the cookie you wouldnt know how to alter it to fit another user unless you could access the DB. So i dont put up any usernames passwords or whatsoever in cookies.

At 11/10/09 09:30 AM, urbn wrote: Google mail has remember me, and it remembers me for a month without needing to enter a password for that whole month?

I wouldn't know about that, however, when I access Google Analytics, Webmaster Tools, etc. it prompts me for a password.

At 11/11/09 02:47 AM, Nishinku wrote: And just to clarify for you guys, because there seems to be some confusion. I give all users an id in the database, and thats what i save in the cookie, even if you did modify the cookie you wouldnt know how to alter it to fit another user unless you could access the DB. So i dont put up any usernames passwords or whatsoever in cookies.

As long as the ids cannot be enumerated.

Check your php.ini or ask your host to ensure cookies are enabled for your account (check the session.use_cookies directive). Secondly ensure cookies are enabled in your browser.

At 11/11/09 03:09 AM, Deja-Vu wrote:

At 11/11/09 02:47 AM, Nishinku wrote: And just to clarify for you guys, because there seems to be some confusion. I give all users an id in the database, and thats what i save in the cookie, even if you did modify the cookie you wouldnt know how to alter it to fit another user unless you could access the DB. So i dont put up any usernames passwords or whatsoever in cookies.

As long as the ids cannot be enumerated.

I still think it's a piss-poor practice. You're effectively making it so you're primary key can't be used anywhere on your site, and if it is, every user just became a joke to "hack". Unless you're always using a user alias instead of the ID (like Newgrounds, still less efficient though), then I don't see how you can do much at all without exposing user ids.

At 11/11/09 04:01 AM, DFox wrote: I still think it's a piss-poor practice...

Who is this reply aimed at?

At 11/13/09 07:28 AM, Deja-Vu wrote:

At 11/11/09 04:01 AM, DFox wrote: I still think it's a piss-poor practice...

Who is this reply aimed at?

Anyone who is thinking about putting any sort of primary key unique ids in a cookie as a sole form to use for login authentication.