BetterPHP

In my code I have a form posting to itself. The problem is, is that when it reloads the page, if I check if the $_SESSION['username'] variable is set, it returns false. After, if I reload the page, then it detects that I am logged in and send me to a different page. How do I fix this?

I fixed it.

I had
[syntax=php]if (empty($errors)){
if (isset($_POST['set_cookie']) && $_POST['set_cookie'] == '1'){
setcookie('username', $_POST['username'], time() + 604800, '/', 'hostet.me', true, true);
setcookie('password', sha1($_POST['password']), time() + 604800, '/', 'hostet.me', true, true);
}

$_SESSION['username'] = htmlentities($_POST['username']);
}[/syntax]
changed it to
[syntax=php]if (empty($errors)){
if (isset($_POST['set_cookie']) && $_POST['set_cookie'] == '1'){
setcookie('username', $_POST['username'], time() + 604800, '/', 'hostet.me', true, true);
setcookie('password', sha1($_POST['password']), time() + 604800, '/', 'hostet.me', true, true);
}

$_SESSION['username'] = htmlentities($_POST['username']);

header('Location: login.php');
}[/syntax]

You should really add more security to those cookies. Just a suggestion

like?

Cookies are user editable, so you need to first make sure you protect against sql injection with them. If you have, you then should encode or hash them in some manner so that a user will have a hard time faking them in any way.

I have HTTP-ONLY set to true, so that helps with Javascript stealing (but not much). Also everything is controlled by $_SESSION variable, and when $_SESSION is renewed by $_COOKIE, then it checks the cookies for valid credentials, and then sets $_SESSION with mysql_real_escape_string and htmlentities.

I think this is secure... Correct me if I am wrong

I never use cookies, I only ever use sessions.
I just suppose it's just a little bit less I have to worry about

Helx wrote:I never use cookies, I only ever use sessions.
I just suppose it's just a little bit less I have to worry about

Me too, you can set the session lifetime really high if you use SQL storage which removes all the advantages cookies have anyway.

How do I extend session lifetime then?

FrederickGeek8 wrote:How do I extend session lifetime then?

I'm not sure you can, but if you're trying to make a 'remember me' button or something, just set a cookie and store a random session id or something in a MySQL DB (and store it in a cookie). If they come back later and don't have any session set from the login, check if they have the cookie set, if they do then check if the cookie's session ID is in the SQL DB somewhere, under their IP. If there is no cookie and no session, show them the login

But if the cookie is set and found in SQL, set their username session as if they just logged in

Oh, and you should probably never set the users password in any cookie or any session for whatever reason. It's not needed for anything and is just a security hazard and waste of time.