Stay logged in using sessions only

looped · October 28, 2013, 12:08pm

Can you spot any glaring issues with this concept?


<?php
error_reporting(E_ALL);
ini_set('display_errors',E_ALL);

ini_set('session.use_only_cookies', 1);
$cookieParams = session_get_cookie_params();

$loggedin=true;
if(isset($_GET['logout'])){
	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);
	session_start();
	session_unset();	//unset($_SESSION['myvar']);
	session_regenerate_id(true);
	session_destroy();
	
	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
	exit();
	
}elseif(isset($_GET['login'])){
	session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
	session_start();
	$_SESSION['myvar']="Logged in";
	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
	exit();
	
}else{
	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);
	session_start();
	
	if(isset($_SESSION['myvar'])){
		setcookie(session_name(), session_id(), time()+31536000 , $cookieParams["path"], $cookieParams["domain"], false, true);
	}
	
}

echo session_id()."<br />";

if(isset($_SESSION['myvar'])){
	echo "myvar: ".$_SESSION['myvar']."<br />";
	echo "<a href='?logout=true'>logout</a><br />";
}else{
	echo "<a href='?login=true'>login</a><br />";
}
?>

StarLion · October 28, 2013, 2:44pm

Other than the title of your thread saying “using sessions only” and then the entirity of the code being cookie based?

$loggedin=true;

Unused variable.

Why are you regenerating the ID of the session a line before destroying it?

What your script actually does is:

If the user is logged in and is not logging out, perpetuate the session by 11 months, 30 days, 4 hours, 40 minutes.
If the user is logged in and is logging out, destroy the session and reload the page; which will then cause it to follow option 3.
If the user is NOT logged in, and is not logging in, create a session which will expire immediately. (which some might say defeats the purpose)
If the user is not logged in and IS logging in, create a session via cookie that will expire in 11 months, 30 days, 4 hours, 40 minutes, and then reload the page, which will cause it to follow option 1.

looped · October 28, 2013, 5:54pm

[QUOTE=StarLion;5583221]Other than the title of your thread saying “using sessions only” and then the entirity of the code being cookie based?



Its session cookies yes, but not standalone cookies, something everyone seems to use as well as...


> Why are you regenerating the ID of the session a line before destroying it?

Because destroying it only clears the session data.


> 
What your script actually does is:
1. If the user is logged in and is not logging out, perpetuate the session by 11 months, 30 days, 4 hours, 40 minutes. 
2. If the user is logged in and is logging out, destroy the session and reload the page; which will then cause it to follow option 3.
3. If the user is NOT logged in, and is not logging in, create a session which will expire immediately. (which some might say defeats the purpose)
4. If the user is not logged in and IS logging in, create a session via cookie that will expire in 11 months, 30 days, 4 hours, 40 minutes, and then reload the page, which will cause it to follow option 1.


*3. Zero is used to indicate to destroy the session cookie when the browser is closed, remember this is a session cookie not a standard cookie!


** unused var is just a remnant (I deleted dev crud as posting!)


So, in your opinion there is no security issues with this arrangement?

StarLion · October 29, 2013, 1:53pm

0 in the lifetime does indeed specify until browser close, in that i was mistaken. (This however is not something different than a cookie. It is a standard cookie, just one that PHP interprets into session matching. “Lifetime” is in fact a rather poor combinatory thing; if you tell a cookie to expire at 0 it does the same thing. Otherwise, PHP sets a cookie with expiry time()+$lifetime.)

Because destroying it only clears the session data.

And regenerating the ID before killing it does… what, precisely? Creates a new session (which still carries the same data), deletes the old one… and destroys the new one. What’s the difference? Have i missed something?

Security issues? None more than any other implementation of cookie based login. Your script cleans up the cookie if they log out and then close the browser. Using the Location headers might be a bit unnecessary, really. (and it would actually lock your browser into not being able to go “back” unless you tapped it repeatedly to skip the “login” press)

looped · October 29, 2013, 4:47pm

Regenerating the id, well, changes the session id. If I wanted to carry on tracking them I wouldn’t give them a new session id, but…

I use header redirects so if the page is refreshed, etc then it carries nothing with it. In this case the GET’s (note that many browsers now hide the GET stuff in the location entry until you click in it! But it’s still there…) (And in a real case I generally wouldn’t be using GET, rather POST)

Thankyou