Geek Answers Handbook

What is the best practice for using cookies to authenticate with PHP?

I am looking for tips and ideas on how best to enable authentication with PHP using Cookies.

In case each php script checks the cookie value to determine if the user has been registered yet? Should there be one script that performs this check and includes a script from every other script? Can cookie value be displayed by php from different depths of the file system?

Like: blahblahblah.com/ and blahblahblah.com/login/

Can they both read cookies?

Many questions in one post, but thanks!

+6
authentication php cookies
source share
4 answers

on the client side, nothing is safe.

You can easily change the login flag for cookies in any browser. Thus, it is more recommended to save the registration data to php $ _SESSION

If you want to extend the session, just look at session_set_cookie_params() .

By default, the same session will be used for the current domain and all paths in this domain. Thus, it reads for both blahblahblah.com/ and blahblahblah.com/login/

When a user logs in, save the username and password hash in the session.

At the beginning of each script, check the username and password of the session with the name in the database. If this is correct, set a flag (for example, $ userLoggedIn = true) to indicate on the server side that the user is logged in. Else false.

+3
source share

Some thoughts, in a specific order:

  • Separate different levels: persistent storage and authentication.
  • PHP sessions are fairly reliable and recommended for maintaining persistent storage.
  • You may have a valid session, but not a valid login.
  • Avoid multiple cookies. One is enough. PHP sessions operate on a single cookie.
  • You can set subdomains and paths for cookies, but there really is little point if you did not specify lots, which is not recommended (see above).
  • Put everything that you consider necessary in the cookie session.
  • You should have a generic code that includes all of your pages. This is where you initialize the session. Then everything will just work. He can also verify that the login is also valid.
  • Have one place that does login authentication and everything related to it.
  • Do not forget to exit the screen!
+2
source share

It is a good idea that one script does a session / login check and include it in secure pages. AS for depth, you can determine that in setcookie (), if the directory parameter is set to "/", then it is accessible all through.

It is usually a good idea to use sessions instead of cookies, since it is safer, but you can decide to create your own session system based on the encrypted data in the cookie, and this can work, but again, sessions that store data on the server side.

0
source share

cookie is for a domain, so no matter how deep you are in your directory structure, a cookie will be considered OK (as long as your domain remains the same - NB, this means that www.example.com and example.com may have different cookies) .

I would suggest conducting an authentication that compares the session identifier in the cookie, for example, the list of database entries registered by users and their session identifier - this verification can be in the own / include method file, which includes () d on each page . Thus, the check will be performed every time the page is loaded. NB , this is a fundamental and much safer method, some of which were mentioned in other comments here.

As Maurice said , although nothing is safe on the client side - do not use a cookie to store the value "logged_in", which you check for true / false

0
source share

More articles:


All Articles