#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    8
    Rep Power
    0

    Stay logged in using sessions


    This works but i don't like having to reset the session cookie if youre staying logged in, i'd prefer to be able to tell if lifetime>0 and just do once. At mo it relies on SESSION var being set.

    And no I don't want to add a seperate cookie.

    Also do you see any potential problems / issues?

    Code:
    <?php
    
    error_reporting(E_ALL);
    ini_set('display_errors',E_ALL);
    
    ini_set('session.use_only_cookies', 1);
    $cookieParams = session_get_cookie_params();
    
    $loggedin=true;
    if(isset($_GET['logout'])){
    	//session_set_cookie_params(-31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
    	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);  
    	session_start();
    	//session_destroy();
    	session_regenerate_id(true);
    	//setcookie(session_name(), '', time()-42000, '/');
    	session_unset();	//unset($_SESSION['myvar']);
    	session_destroy();
    	
    	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
    	exit();
    	
    }elseif(isset($_GET['login'])){
    	session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
    	session_start();
    	$_SESSION['myvar']="Logged in";
    	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
    	exit();
    	
    }else{
    	$cookieParams = session_get_cookie_params();
    	echo "lifetime: ".$cookieParams["lifetime"]."<br />";
    	/*
    	if($cookieParams["lifetime"]>0){
    		echo "lifetime: here<br />";
    		session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
    	//if($cookieParams["lifetime"]<=0){
    	}else{
    		echo "lifetime: There<br />";
    		session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);
    	}
    	*/
    	
    	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);
    	session_start();
    	
    	if(isset($_SESSION['myvar'])){
    		//session_write_close();
    		session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
    		//session_start();
    		session_regenerate_id(false);
    	}
    }
    
    echo session_id()."<br />";
    
    if(isset($_SESSION['myvar'])){
    	echo "myvar: ".$_SESSION['myvar']."<br />";
    	echo "<a href='?logout=true'>logout</a><br />";
    }else{
    	echo "<a href='?login=true'>login</a><br />";
    }
    
    ?>
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    first of all, zombie sessions are just bad. They're a gigantic security risk. And with all the powerful password managers we have today, there's really no excuse for still using them. If you care just a tiny bit about security and quality, stop it and use a proper solution.

    Secondly, the implementation is wrong (like 99% of all “remember me” features). No, you cannot (ab)use standard PHP sessions for this. They store the session IDs as plaintext, which is equivalent to storing all passwords as plaintext. There's no way of limiting the active sessions to one per user. And if a user loses the session cookie before they've logged out, they can never destroy the session again. In other words: Your poor users will leave a trail of active sessions at all kinds of places (workplaces, hotels, airports, Internet cafés, friends, (ex-)girlfriends etc.). This is begging for abuse.

    Last but not least, you're using many functions wrong. The display_errors directive takes a boolean value. It's either true or false. The session.cookie_lifetime is the amount of time every session cookie should live (like 3600 = 1 h). It's not a point of time – this wouldn't even make sense, because this is a global configuration. The HTTP GET method is for fetching a resource (hence the name), not for actions like logging in and logging out! And the whole logout part doesn't even make sense. Why do you regenerate the session ID when you gonna destroy the session anyway? Why do keep the session cookie alive?

    No, this does not "work".
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo