1

For my project I use cookies to automatically log in users. However, I don't want the user to know which cookies are used for what purpose.

For this reason I decided to encrypt the names of the cookies, as well as the content. Decrypting the content of these cookies for use does not cause much trouble. It works perfectly as I want it to. However, for the sake of compatibility and dynamics, I tried to call the cookies dynamically by their names, using similar code like this:

if(isset($_COOKIE[$encryption->decrypt('username')]){ ... }

But this did not seem to work. Neither did setting a variable with the encrypted name of the cookie, like this:

$cookie_name = $encryption->decrypt('username');
if(isset($_COOKIE[$cookie_name]){ ... }

The way I am currently using this script (which works, but seems a bit sloppy) is like this:

if(isset($_COOKIE['Nm9yNCtoK1lTY2M5TnhKWnRvL0NjUT09']){ ... }

Is there a way to do this correctly, or am I forced to call the cookie by it's pre-encrypted name, like I currently do?

Gabi Barrientos
  • 1,746
  • 3
  • 23
  • 37
  • Don't store any login information in cookies. Use `$_SESSION` to store login data (Session will in turn use cookies to *identify* the session, but this is very different from containing an encrypted version of the username). – zzzzBov Feb 28 '13 at 05:04
  • Using `$_SESSION` for automatic logins is not possible. For this I actually need cookies. – Gabi Barrientos Feb 28 '13 at 05:06
  • What do you mean by "automatic logins"? – zzzzBov Feb 28 '13 at 05:06
  • I mean a function like a lot of sites have that ask the user wether they want to be 'remembered', and if so, they will be automatically logged in each time they visit, even if the session has ended, in which case the website will create a new session. – Gabi Barrientos Feb 28 '13 at 05:08

2 Answers2

2

You never want to use cookies to store user data, instead use the $_SESSION and to make it last for longer user this code:

session_set_cookie_params ((14 * 24 * 60 * 60),  '/', '.yoursite.com');
//Set the session for 14 days, on all paths, on all subdomains of yoursite.com

That will outlast a browser closing, and continue the session next time it is opened.

For instance, at login.php, you could have this:

if ($remembermechecked) {
session_set_cookie_params ((14 * 24 * 60 * 60),  '/', '.yoursite.com');}

When $remembermechecked is true, the session will last 14 days.

grepsedawk
  • 3,324
  • 2
  • 26
  • 49
  • But doesn't this mean that I will have to 'fake' a user login to keep the session from timing out, since the session's cookie will not expand it's lifetime at subsequent requests this way? – Gabi Barrientos Feb 28 '13 at 05:22
  • No, actually right now you're faking a user login by using cookies. $_SESSION is the proper way to keep track of user logins. Basically $_SESSION['userid'] would be the id of the user logged in. at logout you pretty much just trash the session and then they're logged out. – grepsedawk Feb 28 '13 at 05:27
  • Ok, thanks for clarifying. I hope you don't mind, but since both you and Andrew gave about the same answer, and since you have a lot more reputation, I am going to accept Andrew's answer as the correct one. – Gabi Barrientos Feb 28 '13 at 05:31
1

As stated in the comment above, it would be wise to use a session.

In PHP, sessions can be made to be "persistent"... AKA: Don't get lost when a user closes the browser.

Check this answer.

https://stackoverflow.com/a/9797962/1521230

EDIT:

To "reset" the session cookie duration on each request, after session_start() on each page, you'll also want to use session_regenerate_id(TRUE).

Community
  • 1
  • 1
Andrew McGivery
  • 1,350
  • 8
  • 20
  • drew010 says in his answer "The cookie lifetime is set from when the session is first started, not on subsequent requests.", doesn't that mean that after the session has been started, and the session has a lifetime of 7 days, the user will still have to re-log in to the website, even if visits have been made to the website during the lifetime of the session? – Gabi Barrientos Feb 28 '13 at 05:17
  • It also says "If you want to extend the lifetime of a session out 7 days from the current time, see also session_regenerate_id()". I added to my answer. – Andrew McGivery Feb 28 '13 at 05:27
  • 3
    I don't mind you giving him the best answer, you win some and lose some. Except, I'd much rather have @AndrewMcGivery include direct code backing up his answer, as link only answers are not considered acceptable by stack overflow. – grepsedawk Feb 28 '13 at 05:34