Home arrow PHP arrow Page 3 - User identification using cookies in PHP/MySQL
PHP

User identification using cookies in PHP/MySQL


What is a cookie and how do we use them in PHP? If you can not answer this question, you should definitely have a read through this article.

Author Info:
By: Vladmir Krstulja
Rating: 5 stars5 stars5 stars5 stars5 stars / 79
March 28, 2003
TABLE OF CONTENTS:
  1. · User identification using cookies in PHP/MySQL
  2. · The Article
  3. · Common Pitfalls and Conclusion

print this article
SEARCH DEVARTICLES

User identification using cookies in PHP/MySQL - Common Pitfalls and Conclusion
(Page 3 of 3 )

Naturally, using cookies is not the safest method to protect your pages, since there are pitfalls. Here are some:

  • Cookies are not visible to your pages until first reload after you set it
  • Cookies must be deleted with same parameters as they were set with
  • Cookies can be stolen, their values read, since they are ASCII files
  • Cookies can be stored on proxy servers and thus exposed externally to userís computer
  • Not a safest method if user does access your pages through a public computer
  • In case user does not logout, cookie remains on his computer until it expires

But, since we are not passing usernames/passwords to cookies, no one can read them and try to login. Using logcodes we ensure somewhat unique identification of your users, and since logcodes are renewed upon each access to your protected pages, it makes it difficult to be stolen, since the thief must steal the cookie, read the value, setup a cookie on his own machine and access your pages, all within the timeframe between two clicks of your real user, or within the timeframe of his idle time.

In case of increased security is required, consider making a javascript that will reload your pages each n seconds and set cookie expiration time to that number of seconds. This will ensure that even if the user is idle, each n seconds his logcode is renewed. The smaller amount of time between two reloads, the more secure the access is. Also, you can combine this method with session-based user id and pass session ID within the cookie too, ensuring cookie cannot be stolen.

Actually, we consider cookie-based user identification to be very secure, except if accessed from a public computer, but a proper logout fixes the problem. Force your users to return and logout if their connections are broken.

Also, you can setup a javascript event handler that calls logout.php when the browser is closed, or removes the cookie manually. But, removing the cookie with javascript exposes your cookie name and parameters in your pageís sourcecode, so keep that in mind. By setting cookie names to some difficult-to-guess names can be an additional boost up to your security.


DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

blog comments powered by Disqus
PHP ARTICLES

- Removing Singletons in PHP
- Singletons in PHP
- Implement Facebook Javascript SDK with PHP
- Making Usage Statistics in PHP
- Installing PHP under Windows: Further Config...
- File Version Management in PHP
- Statistical View of Data in a Clustered Bar ...
- Creating a Multi-File Upload Script in PHP
- Executing Microsoft SQL Server Stored Proced...
- Code 10x More Efficiently Using Data Access ...
- A Few Tips for Speeding Up PHP Code
- The Modular Web Page
- Quick E-Commerce with PHP and PayPal
- Regression Testing With JMeter
- Building an Iterator with PHP

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials