Geek Answers Handbook

Unable to save user login to cookie or session

I have a problem's. I am working on a little cms. When I log in, everything is fine. but if I sit there, the session seems to require me to log in again after 3 minutes. so I tried to implement the remember me function. and they were also unlucky. it also requires me to log in.

in my functions I have the following snapshot of code.

function logged_in(){ if(isset($_SESSION['email']) || isset($_COOKIE['email'])){ return true; } else { return false; } }

Then I created another function, which, if a login is required on the page and yours is not registered, it will be redirected.

 function require_loggin(){ if (logged_in()) {} else { redirect(ROOT_URI); } }

now on all pages that require loggin, I have this in the page title.

 <?php require_loggin(); ?>

and this is my login details.

 $email = clean($_POST['email']); $password = clean($_POST['password']); $remember = isset($_POST['remember']);

and finally my login.

 function login_user($email, $password, $remember){ $active = 1; $connection = dbconnect(); $stmt = $connection->prepare('SELECT user_pwd, user_email, uid, username FROM users WHERE user_email = ? AND active= ?'); $stmt->bind_param('ss', $email, $active); $stmt->execute(); $result = $stmt->get_result(); if ($result->num_rows == 1) { $row = $result->fetch_array(); $db_password = $row['user_pwd']; if (password_verify($password, $db_password)) { if($remember == "on") { setcookie('email', $email, time() + 86400); } $_SESSION['uid'] = $row['uid']; $_SESSION['email'] = $row['user_email']; $_SESSION['username'] = $row['username']; return true; } else { return false; } return true; } else { return false; } }

everything works without errors. login and logout are ok.

The problem is that after logging in, the default session dies after about 4 minutes if they don’t click the links. and the function to remember me will not work. I read some where the default session should last about 30 minutes. but the session requires you to log in after 4 minutes without moving around the site.

Someone mentioned to me about the garbage collection, but I must admit that I completely lost it.

I am still pretty new to php and I want to find out the correct path in the wrong way. my project works fine, I just can’t get the user to log in or be able to remember me.

+8
php
source share
7 answers

I recommend creating an application configuration file .. name it config.php and include it at the top of your pages. As simple as your application, I assume that you are not using the autoloader. Add the following snippet to it:

 <?php /** * File: config.php * This file should be included in every PHP  to configure the session. Like this: * require_once('config.php'); */ /* * This is 30 minutes. The length only depends on the requirements of * your application. */ $sessionLength = 30 * 60; ini_set('session.gc_maxlifetime', $sessionLength); ini_set('session.gc_maxlifetime',30); session_set_cookie_params($sessionLength , "/", "yourdomain.com") session_name('PHPSESSION'); session_start(); //This will force the cookie to reset with a new timeout on every page load. setcookie( session_name(), session_id(), time() + $sessionLength ); ?>
+6
source share

Update:

Change the number 9 of the question greatly changed the question, and this answer (and most other answers) no longer applies.

This answer was a response to editing issue number 7 (when generosity was launched).

Leaving this here, visitors will find out why there are so many answers and comments related to the “session duration” when the question, how is it now, does not refer to it. Deletes the response upon completion.

Run the following php file in your browser:

 <?php echo 'Session Cookie Lifetime: '. ini_get('session.gc_maxlifetime') . ' (The number of seconds after which data will be seen as \'garbage\' and potentially cleaned up.)<br>'; echo 'Session Cookie Lifetime: '. ini_get('session.cookie_lifetime') . ' ( the lifetime of the cookie in seconds which is sent to the browser. The value 0 means &quot;until the browser is closed.&quot;)<br>'; phpinfo(); ?>

If one of the two values ​​at the top is “about 4 minutes” (240 seconds), you need to configure them in your PHP configuration.

Otherwise, the output of phpinfo() below should tell you everything you need to look for: for example.

  • if you have another script that deletes files from the session path (see "Saving the path"), you will also lose the session;
  • if you don’t use cookies (suppose you are, otherwise you will see the PHPSESS parameter on all URLs), then
  • if php / apache / iss etc should restart, then you will lose all sessions.
  • (Do not be fooled by session.cache_expire = 180; this is 180 minutes, not seconds and not related to it.)
+4
source share

Based on the last change of your question (9) and the code in its current form (please stop editing the question and code - create a new question if it changes so much!)

Your call to login_user($email, $password) does not pass the $remember variable as expected in the declaration

 function login_user($email, $password, $remember)

Therefore, he will never set a cookie.

Tips:

  • when debugging, just enter echo $remember . "<br>"; echo $remember . "<br>"; or echo "I'm Here<br>; or echo "I'm at " . __FILE__ . "/" . __LINE__ . "<br>"; or similar code at different points so you know where it is being tracked. You you will see that it never gets into the string "setcookie".
  • enable ALL error reporting for debugging / development purposes. error_reporting(E_ALL); and ini_set('display_errors', 'on'); as this will show your problem.
  • If you use a cookie, do not store something easily decoded (for example, base64 string, how you do it), but keep a link to the "persistent session" that you store on the server. Any hacker will immediately recognize the base64 string (see the equal sign at the end? - base64 is the first thing that comes to mind). I can change one letter and log in like someone else using your code.
  • There are some tips on creating a good session system (i.e. if you use cookies to "remember me", then you can also not use session_start() sessions and do it all yourself), but this leads to suggestions that you should use the library if you are not 100% sure of your logic and security - and provided that the base64_decode problem is correct. I hope your verify_password not written on its own, but something commercial? Ideal for training, but ask someone to check the code before running if you want it to appear live.

Good luck.

(And please do not change the question again! No one will want to help you.)

+3
source share

First of all, try adding this line before the session_start () statement:

 session_set_cookie_params(3600,"/");

If this does not work, you have 3 options:

1) Change the value of this line on your php.ini to 1800

 session.gc_maxlifetime

2) Put this in your .htaccess file:

 php_value session.cookie_lifetime 1800 php_value session.gc_maxlifetime 1800

1800 is in seconds, so it's half an hour.

3) If you do not have access to .htaccess, you can put it in your header:

 ini_set('session.cookie_lifetime','1800');

Debian has a cron job to automatically expire sessions for security measures. If you use the Debian check / etc / cron.d / php *

RESOURCES:

http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime http://php.net/manual/en/function.session-set-cookie-params.php

+2
source share

You did not mention how to use the logged_in function? when you close the browser, your session will destroy so that userid, username, email value will be NULL.
After checking the cookie value is set or not based on the cookie value, you should get the appropriate values ​​from the database and set the values ​​in the session. you must keep an eye on this kind of flow to maintain a login system. I hope this answer helps you understand this login system.

0
source share

Check out Robbie's answer.

If you cannot configure the PHP configuration, you can also use the HTTP out. Do not expire. However, in this case, the password is transmitted each time the user requests a web page.

0
source share

This is the wrong way to handle this. In order to enable automatic cookie login, you must save all the necessary cookie login information. But you must encrypt them to prevent problems later.

Example cookie:

 toke = USER_ID:USER_NAME:HASHED_PASSWORD

The double is a delimiter, so you can use explode to get input token components. You can then check this information with the database entries.

Good luck

-3
source share

More articles:


All Articles