Logging into ChiefDelphi.com question

[Raven_Writer]

Does anyone know how the message board keeps the username logged in after registering, so that the user doesn't have to log in again? I'm asking this because for my PHP script I'm working on, I want the user to not have re-login everytime, or atleast after s/he gets done registering.

[Elgin Clock]

Cookies?

[Ryan M.]

Quote:

Originally Posted by Elgin Clock

Cookies?

I think so. It uses a session cookie by default, but when you check the "Remember me" box it uses the, uh, "long-term" cookie. (don't know the technical term... )

[Pierson]

I believe it is cookies because whenever I clear my cookies, I have to log in again. (/me defers to Brandon for the final answer)

However with other sites, like amazon.com they track you through the web address itself. But this only works for one session at a time.

[Raven_Writer]

Thank you all very much. I had a feeling it was through cookies (my other theory was very terrible). Off to learn about PHP and cookies.

[evulish]

If what you're doing is trying to do a log-in system, don't depend on the cookie information to be sent from you. People can write their own cookies. Say there were two users.. billybob and jimmyjoe. If billybob signs in, and you set a cookie to 'user=billybob,' jimmyjoe could come along and write his own cookie that says 'user=billybob' allowing him to bypass any password. A common plan is to assign a user-id string when the person logs in. Store it in a database along with the rest of the users information and in his cookie. Then when he accesses the page again, check the database for that unique id. It's not super-ultra-mega secure. But it's exponentially better than using the login name as the method to check. Hope that helps, or even relates to what you're trying to do (Maybe it'll help some other random soul.. *shrug*)

[Raven_Writer]

Quote:

Originally Posted by evulish

If what you're doing is trying to do a log-in system, don't depend on the cookie information to be sent from you. People can write their own cookies. Say there were two users.. billybob and jimmyjoe. If billybob signs in, and you set a cookie to 'user=billybob,' jimmyjoe could come along and write his own cookie that says 'user=billybob' allowing him to bypass any password. A common plan is to assign a user-id string when the person logs in. Store it in a database along with the rest of the users information and in his cookie. Then when he accesses the page again, check the database for that unique id. It's not super-ultra-mega secure. But it's exponentially better than using the login name as the method to check. Hope that helps, or even relates to what you're trying to do (Maybe it'll help some other random soul.. *shrug*)

I was reading about how bad cookies were usually past couple of days. Now, I've switched over to using sessions. I think I'll either try storing a unique ID (MD5 maybe?), or just not even bother keeping the user logged in during a re-visit.

Use the following code at the top of each page:

PHP Code:

session_start(); 


Now use the Session variables to check if a user is logged in.

[Brandon Martus]

There are a few cookies that keep you logged in. You could, rather than use cookies, send the session ID through the URL. That is what vBulletin does if you don't allow cookies to be used, and have that setting configured in your options.