I have simple question as I have variable cookname and rememberme.

setcookie('cookname', $_POST['usernamelogin'], time() + 60*60*24*30 );
$cookname = $_POST['cookname'];




and if Remember Me checkbox is checked, it will have value 1:

$rememberme = $_POST['rememberme'];


I need suggestion what to check in code if users decides to bo be remembered and automatic logged in.

I was thinking for checking in my db his IP address and username. Password is probably bad idea. Need help.

I don't really understand your question..

Save his username, hash of password and a hash of their IP, and then read them when he comes back, use the username to get the hashed password, check it against that in the cookie, and then check if their IP is the same as the hashed IP.

Hi LiLcRaZyFuZzY and SpectreReturns,
I will be more clear. So, I have on each page ssesion. On login page there is input for Username and Password and CheckBox for Remember Me.

If user decides for and checks Remember Me, he will be automatic logged when he comes on web site.

So, question is what to check if I have variable cookname and rememberme.
I have to mind security issues.

I normally just set the username as a cookie, Then if the remember me option is checked, i have this included in the top of every page.

every page include
if(isset($_SESSION['logged']) || $_SESSION['logged'] == 0) { //check to see if we are logged in

if(isset($_COOKIE['cookname'])){
$user = $_COOKIE['cookname'];


$sql = "SELECT * FROM artist WHERE username = '{$user}'";
$sql = mysql_query($sql);
$result = mysql_fetch_assoc($sql);

if($user == $result['username']) {
$_SESSION['user'] = $result['id'];
$_SESSION['logged'] = 1;
$_SESSION['perms'] = $result['perms'];
$_SESSION['uname'] = $result['username'];
$_SESSION['email'] = $result['email'];
$_SESSION['fullname'] = $result['name'];

//print 'logged in!!';
} //passwords dont mach
} //cookies are not set or cant be found
} //not logged in


login.php


$_SESSION['logged'] = 0;

if (isset($_POST['submit'])) {



$sql = "SELECT * FROM artist WHERE username = '". $_POST['username'] ."'";
$sql = mysql_query($sql);
$result = mysql_fetch_assoc($sql);

if($_POST['username'] == $result['username'] &&
$_POST['password'] == $result['password']) {
$_SESSION['user'] = $result['id'];
$_SESSION['logged'] = 1;
$_SESSION['perms'] = $result['perms'];
$_SESSION['uname'] = $result['username'];
$_SESSION['email'] = $result['email'];
$_SESSION['fullname'] = $result['name'];
$_SESSION['password'] = $_POST['password'];

//checks if we are setting cookies
if(isset($_POST['remember'])){
setcookie("cookname", $_SESSION['uname'], time()+60*60*24*100, "/"); //100 days to remember information. }

//Success We are now logged in.
header("Location: index.php?login=success");

}
else {

//Problem not good at all.
header("Location: login.php?process=fail");

}



}

I have question why is there in IF code: || $_SESSION['logged'] == 0
that means OR. Because it means logged or not logged it will go to
$user = $_COOKIE['cookname'];

yep, i guess he hang out too long at the pub yesterday

try replacing this:

if(isset($_SESSION['logged']) || $_SESSION['logged'] == 0) {

with:

if(isset($_SESSION['logged']) && $_SESSION['logged'] == 1) {

I have this question. If I use

$user = $_COOKIE['cookname'];

and cookname is OK and checked can I
make SESSION variable also for cookies like.g.:


$_SESSION['SESSID']= $SESSID;
$_SESSION['SESSusername'] = $_POST['usernamelogin'];
$_SESSION['SESSIP']= $_SERVER['REMOTE_ADDR'];

Toplisek, you seem to have the uncanny knack of asking the same question over and over again.

yep, i guess he hang out too long at the pub yesterday


Hey, i only went down and had 3 jugs, Thats nothing compared to Sunday. Classic Car day at my local pub, from 9am till 3 am and man was i tired yesterday, Didnt make it to work :)

Im making a quick site about the day, should put the photos on today, (not the space filling ones there now)

http://www.showmycar.co.nz

Toplisek, you seem to have the uncanny knack of asking the same question over and over again.

I agree, Think before posting, and maybe go to php.net and read up a bit first. http://php.net That easy!

Or preferably here: http://www.php.net/manual/de/

I have tested and tested my script all week and found out the following.
Problem was not in cookies as I talk with Bokeh many times.

If I have cookie in login page

setcookie('cookname', $_POST['usernamelogin'], time() + 60*60*24*30 );


there should be in logout page UNDER session_start();


$_COOKIE['cookname']=FALSE;
setcookie('cookname', '', time()-3600);


If I include file in logout page and code, this will not work:

session_start();
//$_SESSION = array(); // destroys session vars

session_unset();
session_destroy();
$_COOKIE['cookname']=FALSE;
setcookie('cookname', '', time()-3600);



So, thanks Bokeh for all replies and do not be angry. I was thinking and thinking why is user all the time automatic logged in with code of Sheldon.

Cookie should be reseted on logout page under session start.
This is my conclusion. If I'm right, please tell me.

Since as long as that cookie exists their status will be logged in it would be necessary to destroy it if they select log out otherwise all you would be doing is destroying the session.

I have just this question:
If I have session_start(); why is than there session_destroy();

Deleting a session is not simply a matter of deleting a cookie from the users browser. Both the cookie on the browser and the session information on the server need to be deleted.

Sheldon has $_SESSION['perms'] = $result['perms']; So, user has access only to particular pages.

Is correct to define in db for registered users which permission level has user and than track these permissions with SESSION as Sheldon quoted? Or there is another way to track permissions with SESSIONS?

Toplisek, one has to send a lot of time and guesswork trying to follow another person's code especially when the variables have silly names like cookname (which might actually be handy for a cookery competition website). Try to give your variables proper descriptive names as this negates the need of those trying to help you, backtracking through the code to work out what the variables might contain. It also means you can post short excerts of code and others will be able to immediately understand it.

Regarding your question in post #16: You do not need to log someone in as a guest. Since they are unknown the whole exercise is pointless. Either someone chooses to login and then get full access rights or they don't log in and are treated as a guest.