How can I send data from server from mysql and set cookie?

Question

Here is some php+mysql.

<?php
require('Cookie.php');
require('User.php');
require('DbConnection.php');

$user = new User($_POST['login'], $_POST['pass']);

$dbConn = new DbConnection();
$conn = $dbConn->getConnection();

$isExistUser = "SELECT * FROM users WHERE login = '$user->login' and pass = '$user->pass'";
$result = mysqli_query($conn, $isExistUser) or die(mysqli_error($conn));
$count = mysqli_num_rows($result);

//$cookie = $result->fetch_assoc()['sessid'];

if($count !== 1 ){
    echo json_encode(array('islogin' => false));
}else{
    //setcookie('SID', $cookie , time() + (60*60*24*365), '/', 'hostenko.net', null, true);
    echo json_encode(mysqli_fetch_object($result));
}

$dbConn->closeConnection();

?>

When I use this, I get data from db on the front side, but when I uncomment:

//$cookie = $result->fetch_assoc()['sessid'];

and try to set cookie,

//setcookie('SID', $cookie , time() + (60*60*24*365), '/', 'hostenko.net', null, true);

-it returns null.

What's the problem??

Answer 1

First off, most imporantly, at login you should be generating a new session ID, not reusing one that is stored in your database. The point where the user logs in should be used to start all session properties fresh. As droopsnoot said, you should be storing a hash of the password, not the password itself, this is a fundamental basic security procedure, not people's esoteric opinions.

<?php 
//require('Cookie.php');  //Not sure what's in here
require('User.php');  //Add to this class a hash of the password  $user->pwhash
//require('DbConnection.php'); //Can't tell what's in here

session_destroy();
ini_set('session.cookie_lifetime', 0);   //Pick your time here
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
ini_set('session.use_strict_mode', 1);
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.use_trans_sid', 0);
ini_set('session.hash_function', 'sha512');
ini_set('session.sid_length', '64');          //Use the generated sid
session_start();

$forhash=random_bytes(256);                    //I prefer to create my own
$hash = openssl_digest($forhash, "sha256");
$sid = base64_encode($hash);
$sid = substr($sid, 10, 64);
$_SESSION['sessionID']=$sid;

$obj = new stdClass();
    $obj->dateread = date("D M j G:i:s T Y");
    $obj->message = '';
    $obj->error = '';

if(!($login=@$_POST["login"])){
    echo '<p>No login was entered.</p>';
    exit;
}else {
    $login=$_POST["login"];
}

if(!($pass=@$_POST["pass"])){
    echo '<p>No pass was entered.</p>';
    exit;
}else {
    $pass=$_POST["pass"];
}

$user = new User($login, $pass);  //do not store the password in this object, only store the hash

$db = new mysqli('localhost', $dbuser, $userpw, $database);
if (mysqli_connect_errno()) {
        echo 'Error: Could not connect to database.';
        $obj->error = $obj->error.'Could not connect to database.  '.__FILE__.__LINE__;
        error_log(json_encode($obj));
        exit;
    }else{
        $obj->message = $obj->message.'Successfully connected to database.  ';
    }

$query = "UPDATE users SET sessid = ? WHERE login = ? AND pwhash = ?";
$stmt = $db->prepare($query);
$stmt->bind_param('sss', $sid, $login, $user->pwhash);
$stmt->execute();
if($db->affected_rows == 1){    
        echo echo json_encode(array('islogin' => true));  //or whatever else you might do here
    }else{
        echo json_encode(array('islogin' => false));
        exit;
    }

$db->close();

?>

Then, on subsequent other pages, while the user is logged in:

<?php
session_start();       
if(!isset($_SESSION['sessionID'])) 
    { 
        echo 'You are not logged in.  Please <a href="https://yousite.com/logout.php">click here</a>.';
        exit;
    }else{
        $sid = $_SESSION['sessionID'];
    }

require('User.php');
//require('DbConnection.php'); //Still don't know what's here

$user = new User;

$obj = new stdClass();
    $obj->dateread = date("D M j G:i:s T Y");
    $obj->message = '';
    $obj->error = '';

$db = new mysqli('localhost', $dbuser, $userpw, $database);
if (mysqli_connect_errno()) {
        echo 'Error: Could not connect to database.';
        $obj->error = $obj->error.'Could not connect to database.  '.__FILE__.__LINE__;
        error_log(json_encode($obj));
        exit;
    }else{
        $obj->message = $obj->message.'Successfully connected to database.  ';
    }


$query = "SELECT email, phone, whatever FROM users WHERE sessid = ?";
 $stmt = $db->prepare($query);
 $stmt->bind_param('s', $sid);
 $stmt->execute();
 $stmt->store_result();
 $stmt->bind_result($email, $phone, $whatever);
 if (mysqli_connect_errno()) {$obj->error = 'Error: Could not connect to database.  ';
                             echo json_encode($obj);
                             error_log(json_encode($obj));
                             exit;
 }
 else{
     if($stmt->num_rows == 1) {
          echo json_encode(array('islogin' => true));  //or whatever else you might do beside this
          while($stmt->fetch()){
             $user->setEmail($email);
             $user->setPhone($phone);
             $user->setWhatever($whatever); 
          }
     } elseif($stmt->num_rows == 0) {
          $obj->message=$obj->message.'Session not found.  ';
          echo json_encode(array('islogin' => false));
     } else {
         $obj->error = 'Database Error: Sessions not 1 or 0.  ';
         echo json_encode($obj);
         error_log(json_encode($obj));
         exit;
    }
}

$db->close();
?>

Answer 2

An easy alternative to "cookies" is localStorage

---

While it is not the "prettiest" method, it works.

localStorage.setItem('cookieconsent', true);

You can remove an item like so:

localStorage.removeItem('cookieconsent');

And you can also get the value of an item.

localStorage.getItem('cookieconsent');