session that works for 24/7 like facebook

Question

I have been working on sessions that has to work for 24/7 that don't get logout until user logged out exactly like 'facebook'. I have tried to write code and it didn't work so I googled for it and unfortunately din't find any working solution So here I came. I tried only sessions first but din't work so I was using sessions with cookies with cookie expiry time of after 10 years but still it din't work. My code is

index.php

include_once('includes/open-pdo.php');
include_once 'model.php';
if(!empty($_SESSION["is_logged_in"])) {
 header('Location: dashboard.php');exit;
}
if(!empty($_COOKIE["member_login"])) {
  $username = trim($_COOKIE["member_login"]);
  $password = trim($_COOKIE["member_password"]);
  $valid_user_details = check_user_login($username, $password);
  if(count($valid_user_details)>0 && $valid_user_details['user_id'] > 0){
    $_SESSION['ses_user_id'] = $valid_user_details['user_id'];
    $_SESSION['ses_username'] = $valid_user_details['user_name'];
    $_SESSION['ses_user_email'] = $valid_user_details['user_email'];
    header('Location: dashboard.php');exit;
  }else{
    header('location: index.php?action=logout');exit;
  }
}
if(!empty($_POST['submit'])){
  $username = trim($_POST['username']);
  $password = trim($_POST['password']);
  $valid_user_details = check_user_login($username, $password);
  if(count($valid_user_details)>0 && $valid_user_details['user_id'] > 0)
  {
   $_SESSION['ses_user_id'] = $valid_user_details['user_id'];
   $_SESSION['ses_username'] = $valid_user_details['user_name'];
   $_SESSION['ses_user_email'] = $valid_user_details['user_email'];
   $_SESSION['is_logged_in'] = true;
   /* Store COOKIES of duration for 10 years expiry */
   setcookie ("member_login",$_POST["username"],time()+ (10 * 365 * 24 * 60 * 60));
   setcookie ("member_password",$_POST["password"],time()+ (10 * 365 * 24 * 60 * 60));
   header('Location: dashboard.php');exit;
  }else{
   header('location: index.php?action=logout');exit;
  }
}
<body>
 <form class="form-signin" action="" method="post"> 
  <input type="text" class="form-control" name="username" placeholder="Email Address" required="" autofocus="" />
  <input type="password" class="form-control" name="password" placeholder="Password" required=""/>
  <button class="btn btn-lg btn-primary btn-block" type="submit" name="submit" value="submit">Login</button>   
 </form>
</body>

dashboard.php

if(empty($_COOKIE["member_login"]) || empty($_SESSION["is_logged_in"])) {
 header('location: index.php?action=logout');exit;
}
echo '<div style="text-align:center;"><h3>Welcome to Dashboard - <b>'.$_SESSION['ses_username'].'</b></h3>';
echo '<span style="font-size:20px;"><a href="logout.php">logout</a></span> </div>';

Anyone out there please help me out in this. Thanks.

Have a look at this answer by @Gumbo: https://stackoverflow.com/a/1270960/6124909 — retr0, Nov 19 '18 at 05:36
I have already started the sessions in my include file that is "open-pdo.php" file. — Prasad Patel, Nov 19 '18 at 10:15
When you say it didn't work, what did you mean? Help us recreate your problem, tell us your expected outcome/s. — Progrock, Nov 19 '18 at 12:11
It means Even though cookies still existed in the browser but session getting destroyed and redirecting user to login page. My expected outcome is "session has to work until I logged out like "facebook" user login, if I din't logout and when I try to access its URL it takes us to home page. — Prasad Patel, Nov 19 '18 at 12:18

score 0 · Answer 1 · answered Nov 19 '18 at 05:44

0

The bad idea store login and password in cookie, even if they are encrypted. You need to generate some key for some authenticated user. For example, store it in database (user_id, cookie_key). And than if the key exists in cookie, get the user_id from database via the cookie_key.

Example SQL: create table user_cookie_token (user_id int, cookie_key char(32))

When user logged in, generate cookie key: sha1(user_id . time()), after add it to the cookie and store in db.

answered Nov 19 '18 at 05:44

S. Denis

149
3
11

Thanks, I will give it a try and get back. – Prasad Patel Nov 19 '18 at 06:35
@marvinIsSacul The one who asked the question understands how to keep a cookie for a long time. I offered him a better algorithm. – S. Denis Nov 19 '18 at 08:29
note the title of the question "session that works for 24/7 like facebook "... I don't see anything there about "Safe/secure cookies" – Kagiso Marvin Molekwa Nov 19 '18 at 08:31
@marvinIsSacul answer for that question how you think. Or you can append text for my answer – S. Denis Nov 19 '18 at 08:33

score 0 · Answer 2 · answered Nov 19 '18 at 08:43

From https://secure.php.net/manual/en/function.session-set-cookie-params.php

For the code which starts the session, Try this...

if (!empty($_POST['submit'])){
  $username = trim($_POST['username']);
  $password = trim($_POST['password']);
  $valid_user_details = check_user_login($username, $password);

  if (count($valid_user_details) > 0 && $valid_user_details['user_id'] > 0)
  {
       define ('ONE_YEAR', 60 * 1 * 60 * 24 * 30 * 12);
       session_set_cookie_params(ONE_YEAR * 10);
       session_start();

       $_SESSION['ses_user_id'] = $valid_user_details['user_id'];
       $_SESSION['ses_username'] = $valid_user_details['user_name'];
       $_SESSION['ses_user_email'] = $valid_user_details['user_email'];
       $_SESSION['is_logged_in'] = true;

       header('Location: dashboard.php');
       exit;
  }else{
       header('location: index.php?action=logout');
       exit;
  }
}

session that works for 24/7 like facebook

2 Answers2