Request advice with cookies

Links for php scripts

Moderators: gesf, Michalio

Post Reply
IChaps

Hello.

Could I please run a general query past any experienced programmers regarding use of cookies?

I'm currently using a session to pass user id number from one page to another.
I'd like to ask if a cookie would be better.

I'm currently thinking if a user signs in to their account, then I'd like to store their user id for 24 hours, saving them time signing again.
If the same user re-visits the site within 24 hours, I would like to pull the user id from the cookie and store it in a variable or session.


At present, assuming the user has the correct username & password, and this is the first signin with in the 24 hours, I've written:-

Code: Select all

//Create cookie
            setcookie("userid", $row['acc_id'], time() + (86400), "/"); // 86400 = 1 day - Acc id direct from the database
}
However the above line produces a blank entry.


And on the homepage, I'd like to toggle the menu, so that if the user has not signed in, then I'd like the menu to display Sign In and Register. Otherwise display a menu with options to goto the dashboard or some other user options.

Code: Select all

<ul class="nav navbar-nav navbar-right">
                        <?php
                            if(!isset($_COOKIE['userid'])) {

//                            if(count($_COOKIE) <1) {
                                echo "<li class='active'><a href='/Guest/signin/logon.html'><i class='fas fa-key'></i>&nbsp;Sign In</a></li>";
                                echo "<li><a href='/register.php'><i class='far fa-registered'></i>&nbsp;Register</a></li>";
                            } else {
                              echo "<li class='dropdown'>";
                                    echo "<a href='#' class='dropdown-toggle' data-toggle='dropdown' role='button' aria-haspopup='true' aria-expanded='false'>  User";
                                        echo "<span class='caret'></span>";
                                    echo "</a>";
                                    echo  "<ul class='dropdown-menu'>";
                                        echo "<li><a href='#'>Nav 1</a></li>";
                                        echo "<li><a href='#'>Nav 2</a></li>";
                                        echo "<li><a href='#'>Nav 3</a></li>";
                                    echo "</ul>";
                                echo "</li>";
                                echo "<li><a href='/user/dashboard.php' class='nav-controller'><i class='fas fa-dashboard'></i>Dashboard</a></li>";
                                echo "<li><a href='/signout.php' class='nav-controller'><i class='fas fa-logout'></i>Signout</a></li>";
                            }
                        ?>
                    </ul>
I can't get the above code to switch menus. Also I'm unsure how to pull the account id from the cookie.

I'd be grateful if an experienced programmer could advise me, or write the code on my behalf.

Thank You.
User avatar
Michalio
Moderator
Moderator
Posts: 339
Joined: Sun Jul 18, 2021 1:33 pm
Location: Poland

You shouldn't use only the userid from cookie to validate that user is logged in. What if someone change the cookie and pass the 1 or other lower number as userid?
Better way is generating and validate some hashes

Code: Select all

session_start();
define('SECURE_KEY', 'change me to any text and do not show it to anyone');
function userhash_generate($userid) {
	$seed = sha1(microtime(true));
	return [
		'seed' => $seed,
		'hash' => password_hash($userid.SECURE_KEY.$seed),
	];
}
function userhash_validate($userid, $seed, $hash) {
	if (strlen($seed) !== 40) {
		return false;
	}
	if (password_verify($userid.SECURE_KEY.$seed, $hash)) {
		return (int)$userid;
	}
	return false;
}

$_SESSION['userid'] = false;
if (isset($_COOKIE['user_id'], $_COOKIE['user_hash'], $_COOKIE['user_hash_seed'])) {
	$_SESSION['userid'] = userhash_validate($_COOKIE['user_id'], $_COOKIE['user_hash_seed'], $_COOKIE['user_hash']);
	if ($_SESSION['userid'] === false) {
		setcookie("user_id", 0, 0, "/");
		setcookie("user_hash", '', 0, "/");
		setcookie("user_seed", '', 0, "/");
	}
}

if ($_SESSION['userid']) {
	echo 'logged in';
} else {
	echo 'please log in';
}
and durring the log in:

Code: Select all

$userid = 123;
$hash = userhash_generate($userid);
setcookie("user_id", $userid, time() + (86400), "/");
setcookie("user_hash", $hash['hash'], time() + (86400), "/");
setcookie("user_seed", $hash['seed'], time() + (86400), "/");
So you will be storing the hash and when the user manually change hash, seed or userid then these cookies will be removed and user logged out
Free coding lessons: https://php-forum.com/phpforum/viewtopic.php?t=29852
Post Reply