1

i was carrying on building my site today and i realised that everytime i go to test it, i have to keep logging into my account on my site, this would be normal except i setup cookies to expire in 30 days, for some reason i don't think they are doing their job properly, and unfortunately i don't have a great deal of knowledge about them to solve the problem, here is the code which sets up the cookie on login, if you need any more info let me know.

$encryptedID = base64_encode("g4enm2c0c4y3dn3727553$id");
setcookie("idCookie", $encryptedID, time()+60*60*24*100, "/"); // Cookie set to expire in about 30 days
setcookie("passCookie", $pass, time()+60*60*24*100, "/"); // Cookie set to expire in about 30 days

some more code that is just above it (may help)

if($login_check > 0){ 
    while($row = mysql_fetch_array($sql)){
        // Pleae note: Adam removed all of the session_register() functions cuz they were deprecated and
        // he made the scripts to where they operate universally the same on all modern PHP versions(PHP 4.0  thru 5.3+)
        // Create session var for their raw id
        $user_id = $row["user_id"];   
        $_SESSION['user_id'] = $user_id;
        // Create the idx session var
        $_SESSION['idx'] = base64_encode("g4p3h9xfn8sq03hs2234$id");
        // Create session var for their username
        $login_username = $row["login_username"];
        $_SESSION['login_username'] = $login_username;
        // Create session var for their password
        $login_userpass = $row["login_password"];
        $_SESSION['login_userpass'] = $login_userpass;
        $sql_login = mysql_query("SELECT no_of_logins FROM users WHERE user_id='$user_id'");
        $array = mysql_fetch_assoc($sql_login);
        $no_of_logins = $array['no_of_logins'];
        //$sql_login_check = mysql_num_rows($sql_login);
        if($no_of_logins == "0"){
            mysql_query("UPDATE users SET first_login=now() WHERE user_id='$user_id' LIMIT 1");
        }
        mysql_query("UPDATE users SET last_login=now() WHERE user_id='$user_id' LIMIT 1");
        mysql_query("UPDATE users SET online = '1' WHERE user_id='$user_id' LIMIT 1");
        mysql_query("UPDATE users SET no_of_logins = no_of_logins + 1 WHERE user_id='$user_id' LIMIT 1");
        mysql_query("UPDATE system SET total_logins = total_logins + 1");
        mysql_query("UPDATE system SET no_online = no_online + 1");
    } // close while
    // Remember Me Section
    $encryptedID = base64_encode("g4enm2c0c4y3dn3727553$id");
    setcookie("idCookie", $encryptedID, time()+60*60*24*100, "/"); // Cookie set to expire in about 30 days
    setcookie("passCookie", $pass, time()+60*60*24*100, "/"); // Cookie set to expire in about 30 days
    // All good they are logged in, send them to homepage then exit script
    header("Location: profile.php");
    exit();
} else { // Run this code if login_check is equal to 0 meaning they do not exist
    $loginErrorMsg = "Incorrect login data, please try again";
    $errorDisplay = '';
}

Thanks for any and all help

j08691
  • 204,283
  • 31
  • 260
  • 272
Al Hennessey
  • 2,395
  • 8
  • 39
  • 63

3 Answers3

2

I don't see much wrong in your code, except for:

time() + 60*60*24*100

That's 100 days in the future, not 30 days :)

Update

It's normal for session cookies to expire when you close the browser, since they don't have an explicit expiry date set in the response headers.

This is exactly why you create long-lasting cookies; when the session is expired (or non existent is more likely), a new session has to be populated with data gathered from those cookies.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • What i meant is that i have to keep logging in, each time i close the browser and reopen it – Al Hennessey Jun 08 '12 at 17:10
  • @Arken right, I've updated my answer in between to mention that sessions -may- will expire when you close the browser ... so you have to use the cookies to repopulate it – Ja͢ck Jun 08 '12 at 17:13
  • Why would that be? It looks like the browser cookie does not expire when the browser is closed, so PHP should have absolutely no knowledge that the browser closed and then reopened. – Eric J. Jun 08 '12 at 17:22
  • @Arken you're welcome; hope you can work out the repopulating bit :) – Ja͢ck Jun 08 '12 at 17:23
  • @EricJ. right, but session cookies are supposed to expire once the browser is closed afaik. it's only the cookies that have an expiry date further in the future that will remain. – Ja͢ck Jun 08 '12 at 17:25
  • Yes, but he's setting the expiry date to 100 days in the future already, right, making it a non-session cookie? – Eric J. Jun 08 '12 at 20:28
  • @EricJ. correct, those cookies won't expire (well, not soon), but he's also using sessions ... so three cookies in total – Ja͢ck Jun 08 '12 at 20:31
1

Session expiration and cookie expiration are different things. You shouldn't set a PHP session to be 30 days long, the default is 1 hour (maybe 30 minutes). What you do need is a way to log the user back in automatically (restart the PHP session) if they come to the site and have the special cookie.

Ruan Mendes
  • 90,375
  • 31
  • 153
  • 217
0

If I recall correctly, the session will still timeout (releasing limited server resources... it's a good thing) after the configured session timeout time has elapsed, even if your cookie is still present in the browser.

See PHP Session timeout

Are you seeing a session time out after, say, 20 minutes of inactivity (rather than the 30 days you hoped for) or does it time out immediately if you log in, close the browser, open the browser, and try to access the site again?

Community
  • 1
  • 1
Eric J.
  • 147,927
  • 63
  • 340
  • 553