SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot rrreview's Avatar
    Join Date
    Jul 2002
    Posts
    117
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Authenticating users with MySQL & cookies

    Basic question here.

    I have a MySQL database full of usernames, passwords, and ID's. To log in, they use a form that checks data in the database, and if it matches, it sets 2 cookies - clanid set to their ID, and clanname set to their name. Theoretically, to check to see if they're logged in or not, all I would need to do is either have an !isset($cookie) code at the top of every restricted page.

    Anyways, here's my question...if you delete a user, but they still have the cookie on their computer, how would I keep that user from being able to access the restricted areas? I'm thinking maybe add a "restricted" setting to the table, and when the user accesses the site, it checks the database with their user id to see if restricted=1 or something, and deletes their cookie, then deletes their info from the database.

    I'd appreciate any help.

  2. #2
    does not play well with others frezno's Avatar
    Join Date
    Jan 2003
    Location
    Munich, Germany
    Posts
    1,391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If in the cookie a session id is included you only have to check whether the session id in the cookie equals the current session id; session cookies
    We are the Borg. Resistance is futile. Prepare to be assimilated.
    I'm Pentium of Borg.Division is futile.Prepare to be approximated.

  3. #3
    PHP manual bot bronze trophy Gaheris's Avatar
    Join Date
    Oct 2003
    Location
    Germany
    Posts
    2,195
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How about changing your "is-logged-in" part, instead of just looking for a cookie you could try to log in with the data in the cookies (userid & hashed password).

  4. #4
    SitePoint Zealot rrreview's Avatar
    Join Date
    Jul 2002
    Posts
    117
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by frezno
    If in the cookie a session id is included you only have to check whether the session id in the cookie equals the current session id; session cookies
    Wouldn't that defeat the whole purpose of having cookies in the first place? If this were the case, wouldn't it be better if I switched over to sessions instead of cookies?

  5. #5
    ko pročita magarac :) boccio's Avatar
    Join Date
    Oct 2003
    Location
    belgrade
    Posts
    354
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    why don't you set your cookie to expire after 24 or 48 hrs?

    stay good
    Vivvo CMS - Web publishing at your fingertips
    Mile voli disko, a ja belo kolumbijsko

  6. #6
    does not play well with others frezno's Avatar
    Join Date
    Jan 2003
    Location
    Munich, Germany
    Posts
    1,391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by rrreview
    Wouldn't that defeat the whole purpose of having cookies in the first place? If this were the case, wouldn't it be better if I switched over to sessions instead of cookies?
    Cookies are not unsafe as such, since they were on your machine and not at the server or whereever else.

    Of course, sessions are always the better choice.
    You shouldn't rely just on cookies. You can set expiration time of cookie to the past thus they were deleted immediately after use.
    We are the Borg. Resistance is futile. Prepare to be assimilated.
    I'm Pentium of Borg.Division is futile.Prepare to be approximated.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •