18 replies to this topic

[Csabi]

I`m creating a website where the the registered users can customize the the look of the website (e.g.: the background color, the font size, the order of items in the sidebar, and other stuff like this)

My problem is that each time the user visits an another page I need to read all this data from a mysql table again and again. If the user visits 100 pages I would need to make 100 queries.

My idea is to create a cookie for each setting when the user logs in and in this way I would read the data from the mysql table only if the cookies are not available.

Is this a good idea or the cookies will slow down the server more than the 100 queries ?

[WingedPanther]

If you can encode all this in a single cookie, then it might work. The trick is this: if someone is miles away from your website, will it take longer to transmit the cookie, or to query the database on the LAN?

[Csabi]

Now I`m using only 3 cookies to store the user id, username and user password
Should I avoid using cookies at all ?
What would be a good solution instead for logging in the users ?

[WingedPanther]

I would absolutely NOT store a password in a cookie. Those are transmitted unencrypted unless you are always using a secure connection.

[Csabi]

The passwords is in md5

But my question is that I should not use cookies at all ?

[WingedPanther]

I'm not saying you shouldn't use cookies at all. However, you may want to look at a mixture of cookies, session variables, and database access.

[Orjan]

I'd recommend to only use cookies through a session and store everything in the session instead.
(a session is a cookie with a validating value so the system can find the data stored in it again when the user browses back, all stored values in it is stored on the server)

[Alexander]

I am very much in agreement with Örjan. All the data could be stored on a temporary file in the server, and the only cookie required for persistence of this data would be a cookie containing a session key. This session key can grant access to persistent logins.

MD5 is deemed insecure and there exists since 2009 an attack that can successfully find the plaintext in less than a few seconds (2^20.96 time complexity, ignoring rainbow tables).

I would recommend you do not ever store a representation of their password in a cookie. This would be considered an application flaw.

[Csabi]

Now my login script looks like this:
After I check if there is any user in the mysql table with the inputted password and username

setcookie('uid',$result['id'],$expire,'/');

setcookie('username',$_POST['login-username'],$expire,'/');

setcookie('password',md5($_POST['login-password']),$expire,'/');

How should I edit the code to use cookies with sessions ?
And when the user makes changes at the settings my website check`s again the passwords, this will be possible using sessions, too ?
Thanks

[Alexander]

You may use the function session_start() before any content is sent to initiate a session. This will either

• Start a new session, in case one has not started before or their previous session has expired
  
• Initiate a previous session, in the case they have a valid session ID that has not expired

You can access these temporary session variables through the $_SESSION superglobal array much like $_GET or $_POST, which will be stored temporarily on the server for a usually predetermined amount of time unless they destroy the session.

With this - They will only need to authenticate once, and as long as the session is valid they are considered logged in and do not need the password to be stored anywhere.

i.e.

Page1.php:

session_start();
if( /* username and password is valid */ ) {
  $_SESSION['is_authenticated'] = true;
  $_SESSION['username'] = $_POST['username'];
}

Page2.php, on later request:

session_start();

if(isset($_SESSION['is_authenticated'])) {
  echo "Welcome " . $_SESSION['username'] . "!";
} else {
  echo "You are not logged in.";
}

This is an extremely simple example, showing that you need session_start() on each page that will access the session. You would be wise to follow some tutorials relating to the security on sessions and how to better use them, including logging out.

[Csabi]

Thanks, I have one more questions

I may be wrong but I know that the sessions are destroyed when the user leaves the website, but I would need a login script that remembers the user for a very long period, at least 1 month

[Orjan]

you can alter the session cookies persistence rather easy.