Tag Archives: COOKIES

using Session and Cookie together for authentication (with code)

Here is my note about using Session and Cookie together for authentication.

The steps are as follows:

1, Build a folder to store Session files, i.e. session_save_dir; By default, Session files are stored at the system temporary folder;

2, When a user submits its username and password, the server checks if they match the information stored in the databas. If they match, set the Session of this user to true.

The code is as follows:

  // Set $time is a year from now. It will be used in set the Session lifetime.
  $time = time() + 3600 * 24 * 365;  
  // Set the folder to store the Session files
  session_save_path($session_save_dir);
  // Start Session
  session_start();
  // Use Cookie to store Session ID and lifetime
  setcookie(session_name(), session_id(), $time, “/”);
  // if the information submited by the user matches the information from the server part, the variable of username is set to true
  $_SESSION[“username”] = true;

Note: session_set_cookie_params() is a function for Cookie to store Session ID and lifetime but it’s said it doesn’t work well on IE 6.0, so it’s better to use the function setcookies().
  
   If the lifetime of Session isn’t set, the Session ID is stored in the memory. When the browser is closed, a new ID needs to be registered. This is why it’s good to use Session and Cookie together for authentication.

   Now, open the folder session_save_dir, the file named like sess_latp6c8mojr4ld05v7si03re45 can be seen. The last part of the filename is the random string after 32-bit coding. Open this file with the notepad, it will show: useraname|b:1;

   If the username is replaced with numbers, i.e. $_SESSION[“123”] , the Session file will be empty, which is what I found.

 
3, Cancel this user’s Session:

   session_save_path($session_save_dir);

   session_start();
   // Cancel variable username
   unset($_SESSION[“username”]);
   // cancel Session file
   session_destroy();

Note:The user can delete its own information from the Session file or change the value of its related variable.

4, Check the user’s authorization:

session_save_path($session_save_dir);
session_start();

if (isset($_SESSION[$username]) && $_SESSION[$username] == true) {
  echo “your code”;
} else {
    echo “you have no right to access it”;
  }

Session vs. Cookie

The Session files are located in the server part, and the file that stores the Cookie are located in the client part. So it’s not safe to use the Cookie for authentication since the Cookie file can be changed by the users. The Session files in the server part can’t be changed by the users. If the folder where the session files are located is configured as unable to be accessed through web, it will be safer.

Anyway, Session can’t replace Cookie. Cookie can store the lifetime of Session, Session ID. It will be work very well to use Session and Cookie together for authentication.

The nexit blog is my note about using Session and Cookie together for authentication.