|
Posted by Gleep on 01/14/07 21:02
On Sat, 13 Jan 2007 22:07:00 +0000, raj <raj@nospam.com> wrote:
>Hi,
>
>How are sites built so that once a website has been left (either by logging
>out or by just moving out of the domain), that a login becomes necessary
>again once the site is revisited (either by back button, history or
>revisiting the site)?
>
>Thank you in advance.
>
>Kind regards,
>
>Raj (Newbie)
This can be done with cookies, but you need to set the cookies in a certain way. WHen a user
submits username and password I check it, then if it valid I set the cookie..
setcookie ("validUser", "$validUser", 0, "/", false);
the key is the 0 that mean the cookie will remain while the user has web pages open to the site.
Once the browser connection is closed the cookie disapears.
Secondly if a user selects the logout option then I do this
setcookie("validUser", '-1', time() - 3600, "/", false);
this negative time destroys a set cookie with the same name. Also I use the -1 as another
internal tool, if a user has a cookie set to -1 i send them to a logout page
I use this method where a user will remain a long time on a web site. If you expect a user to spend
a short time on a web site, sessions would be a better alternative. I use the cookie method because
I've had trouble with the sessions automatically timing out inadvertantly, and certain browsers for
unknown reason also cancel out sessions. It's frustrating when users are filling out a long form
and they submit only to find out their session timed out and they have to log back in and start over
again. I don't have that problem with cookies.
However cookies are less secure. If a user has some programming experience he could determine the
name of a cookie and reset it manually with another userID and when going back to the site be logged
in to another account. So what I do to prevent this is to set a variable called cookieCode. When
a user created a new account I have a field called cookieCode that is generated with a random
alpha/number it's with this range of characters 0-9a-zA-Z 10+26+26 thats 62 possible
characters and my string is 12 long so that's 62 to the 12 power which is a giant number and the
chances of someone randomly guessing another users cookieCode is very slim.
When a user has a set cookie I take that variable and match it against the field if there is a
result then i know it's a valid cookie and they can get in.
Note you don't have to just set one cookie. You can set a userID cookie and confirm code cookie. So
if a user logs in they are validated, and once validated cookie is set you can allow them into the
pages but do not have to run a validation query on every page.
Hope this helps
[Back to original message]
|