starting sessions for username and password

Question

I'm trying to have a start php that allows a user to input a username and password and stores it as a cookie so when they try and log in again it will have there password stored so I'm starting a session because eventually I want to pass that to another php as a post (to verify if that's the correct password) but I'm kind of confused on starting the session because I'm not very familiar with sessions. here's what i have so far

<?php
    session_start();
    $_SESSION["name"] = "";
    $_SESSION["password"] = "";

?>

<!DOCTYPE html>
<form action="start.php" method="post">
    <head>
        <meta charset="utf-8" />
        <title>Remember the Cow</title>
        <link href="https://webster.cs.washington.edu/css/cow-provided.css" type="text/css" rel="stylesheet" />
        <link href="cow.css" type="text/css" rel="stylesheet" />
        <link href="https://webster.cs.washington.edu/images/todolist/favicon.ico" type="image/ico" rel="shortcut icon" />
    </head>

    <body>
        <div class="headfoot">
            <h1>
                <img src="https://webster.cs.washington.edu/images/todolist/logo.gif" alt="logo" />
                Remember<br />the Cow
            </h1>
        </div>

        <div id="main">
            <p>
                The best way to manage your tasks. <br />
                Never forget the cow (or anything else) again!
            </p>

            <p>
                Log in now to manage your to-do list. <br />
                If you do not have an account, one will be created for you.
            </p>

            <form id="loginform" action="login.php" method="post">
                <div><input name="name" type="text" size="8" autofocus="autofocus" /> <strong>User Name</strong></div>
                <div><input name="password" type="password" size="8" /> <strong>Password</strong></div>
                <div><input type="submit" value="Log in" /></div>
            </form>

            <p>
                <em>(last login from this computer was ???)</em>
            </p>
        </div>

        <div class="headfoot">
            <p>
                <q>Remember The Cow is nice, but it's a total copy of another site.</q> - PCWorld<br />
                All pages and content &copy; Copyright CowPie Inc.
            </p>

            <div id="w3c">
                <a href="https://webster.cs.washington.edu/validate-html.php">
                    <img src="https://webster.cs.washington.edu/images/w3c-html.png" alt="Valid HTML" /></a>
                <a href="https://webster.cs.washington.edu/validate-css.php">
                    <img src="https://webster.cs.washington.edu/images/w3c-css.png" alt="Valid CSS" /></a>
            </div>
        </div>
    </body>
</html>

cookies and sessions are 2 different mechanisms. Sessions will be cleared when the user closes their browser window or after a period of inactivity. Cookies remain in the browser for a predefined period. When someone logs in they should select a checkbox if they to remember their login. You could then set an encrypted value to a cookie see setcookie in the php docs then everytime someone comes to the site you can check for the existance of the cookie $_COOKIES['cookie name'] and log them in if it's a valid value — Brett, May 27 '16 at 00:27

score 1 · Answer 1 · edited May 23 '17 at 12:15

You're almost there.

After you validate that name and password is valid (use password_hash and password_verify when storing your passwords to increase security), generate and save a unique session id:

session_regenerate_id();

Once you do that, you can save that session id to a session table. It is highly recommended you regenerate the session_id every time the user changes state (logged in/out or privilege escalation).

I wouldn't store the password in the session, nor would I rely on the username.

A session is authenticated if the session_id matches that of an authenticated session in your session database. To end the session, delete the session_id from your session table and regenerate the session_id:

unset($_SESSION['SESSIONKEY'];
session_regenerate_id();

This is the most basic way to implement it. There are lots of ways to build security into the session and it's recommended to enhance this to prevent attacks such as session hijacking and other types of attacks.

Additional reading:

When and why I should use session_regenerate_id()?

score 0 · Answer 2 · answered May 27 '16 at 04:21

If you are getting data from database then you can get the data based on the username and password and store the whole data into a session array as:

$_SESSION['user'] = mysql_query("select *from users where username = '"+$username+"' and password = '"+$password+"'");

and also store the username and password in the system cookie. and when you logs out manually then delete the cookie.

starting sessions for username and password

2 Answers2