PHP: User logged in sessions and cookies

Question

Sorry for the newbie question! I'm making a small website that allows users to create their own accounts. It's not a banking system, and it's unlikely that someone would want to hack it. That said, I am trying to make it reasonably secure, as there are plenty of bored script kiddies out there.

Could someone describe a basic workflow for a user logging in and having a cookie set that will keep them logged in for 30 days?

At the moment I have the following:

1. Validate and sanitize inputted data.
2. Check supplied credentials against bcrypt hashed password in DB.
3. If correct then call "Login" function.

4. Login function:

   a. Delete any session data from DB with userID (table with two columns: SessionString and UserID).
   b. Add new session data to DB (newy random generated string and UserID).
   c. Write random generated string and UserID to cookie.
   d. Set $_SESSION("UserID") with $userID .

But although the two cookies are being created and written to, the $_SESSION("UserID") remains blank... I'm guessing because I can't write to $_SESSION any time I like?

And even once that's fixed, how do I use the data stored in the cookie to log a user in? I'm guessing I don't want to go to the DB on every page load. And it will still require me to create a database object to see if the credentials in the cookie are ok. Is this the right way to this?

Once again, apologies for the newbie question!

---

UPDATE:
Yes, I do understand the difference between $_SESSION variables and a cookies. I also have session_start() at the top of every page (right after <php with no blank lines). $_SESSION("UserID") just remains blank.

Here's the code from the top of the page:

<?php
session_start();

if(!isset($_SESSION['initiated'])) {
    session_regenerate_id();
    $_SESSION['initiated'] = true;
} 

Thanks for the help.

Answer 1

Did you write a custom session handler that has your session-files stored in the db? I guess you don't.

If you want to use $_SESSION you have to also do session_start() . When using PHP sessions the cookie to identify the user will be set for you. You will also get session files created in your /tmp directory. That's the location your variables and anything you assign to $_SESSION will be stored.

Unless you define a custom session handler, that will manage the location of the session files, you won't need to query your database. Just save the users credentials in $_SESSION .

See this Tutorial on how to use PHP sessions.

PS: You access arrays like this: $_SESSION["UserID"] , not with () .

Answer 2

you might want want to look at this article in which i have already discussed about various types of session hijacking and how you could avoid it.

session security in php

Answer 3

First off, there is an important difference between a session and a cookie. When you use the $_SESSION[".."] you are creating a session (which lives on the server, compared to a cookie which lives on the client), even though the browser uses a cookie to keep track of the session id. To create a cookie you would use the setcookie() method.

That said, I would recommend you to read through this article which is a step-by-step guide on how to create a secure login script, with persistence using a cookie for a "Remember me"-feature. Describe how to do it in detail would be to extensive for an SO answer im afraid.

Side note:

To be able to write to the session, you might have to call session_start(); prior to getting or setting a session variable using $_SESSION[".."] .