Page 1 of 1

Not logging in immediatly

Posted: Fri Dec 21, 2012 7:11 am
by FrederickGeek8
In my code I have a form posting to itself. The problem is, is that when it reloads the page, if I check if the $_SESSION['username'] variable is set, it returns false. After, if I reload the page, then it detects that I am logged in and send me to a different page. How do I fix this?

Re: Not logging in immediatly

Posted: Fri Dec 21, 2012 6:41 pm
by FrederickGeek8
I fixed it.

I had
[syntax=php]if (empty($errors)){
if (isset($_POST['set_cookie']) && $_POST['set_cookie'] == '1'){
setcookie('username', $_POST['username'], time() + 604800, '/', 'hostet.me', true, true);
setcookie('password', sha1($_POST['password']), time() + 604800, '/', 'hostet.me', true, true);
}

$_SESSION['username'] = htmlentities($_POST['username']);
}[/syntax]
changed it to
[syntax=php]if (empty($errors)){
if (isset($_POST['set_cookie']) && $_POST['set_cookie'] == '1'){
setcookie('username', $_POST['username'], time() + 604800, '/', 'hostet.me', true, true);
setcookie('password', sha1($_POST['password']), time() + 604800, '/', 'hostet.me', true, true);
}

$_SESSION['username'] = htmlentities($_POST['username']);

header('Location: login.php');
}[/syntax]

Re: Not logging in immediatly

Posted: Fri Dec 21, 2012 7:49 pm
by ExtremeGaming
You should really add more security to those cookies. Just a suggestion

Re: Not logging in immediatly

Posted: Fri Dec 21, 2012 8:31 pm
by FrederickGeek8
like?

Re: Not logging in immediatly

Posted: Fri Dec 21, 2012 9:03 pm
by ExtremeGaming
Cookies are user editable, so you need to first make sure you protect against sql injection with them. If you have, you then should encode or hash them in some manner so that a user will have a hard time faking them in any way.

Re: Not logging in immediatly

Posted: Fri Dec 21, 2012 9:22 pm
by FrederickGeek8
I have HTTP-ONLY set to true, so that helps with Javascript stealing (but not much). Also everything is controlled by $_SESSION variable, and when $_SESSION is renewed by $_COOKIE, then it checks the cookies for valid credentials, and then sets $_SESSION with mysql_real_escape_string and htmlentities.

I think this is secure... Correct me if I am wrong

Re: Not logging in immediatly

Posted: Fri Dec 21, 2012 10:50 pm
by Helx
I never use cookies, I only ever use sessions.
I just suppose it's just a little bit less I have to worry about :)

Re: Not logging in immediatly

Posted: Sat Dec 29, 2012 1:58 am
by jacek
Helx wrote:I never use cookies, I only ever use sessions.
I just suppose it's just a little bit less I have to worry about :)

Me too, you can set the session lifetime really high if you use SQL storage which removes all the advantages cookies have anyway.

Re: Not logging in immediatly

Posted: Mon Jan 07, 2013 2:46 pm
by FrederickGeek8
How do I extend session lifetime then?

Re: Not logging in immediatly

Posted: Tue Jan 08, 2013 9:24 pm
by Helx
FrederickGeek8 wrote:How do I extend session lifetime then?


I'm not sure you can, but if you're trying to make a 'remember me' button or something, just set a cookie and store a random session id or something in a MySQL DB (and store it in a cookie). If they come back later and don't have any session set from the login, check if they have the cookie set, if they do then check if the cookie's session ID is in the SQL DB somewhere, under their IP. If there is no cookie and no session, show them the login :D

But if the cookie is set and found in SQL, set their username session as if they just logged in :)

Oh, and you should probably never set the users password in any cookie or any session for whatever reason. It's not needed for anything and is just a security hazard and waste of time. :P