Secure pages Sessions vs. Cookies & session_destroy() help
Posted on
16th Feb 2014 07:03 pm by
admin
Im new here and new to PHP, I hope you can help me with some questions.
Im writing my web app, and i have login screen where user enters his username and passoword, then I check im MySQL database is it ok, and if its ok and user exists, I send him to protected pages, i have 3 protected pages that only registred users can acess.
Now the problem is I dont know should I use Sessions or Cookies to check if user is loged in? Cookies are cool and simple but I dont know how to encrypt them so anyone can see them. What is the best method to encrypt cookie?
And with Sessions I joust cant destroy session with session_destroy();
Here is the code of secure pages, and logout.php
Secure page (there are 3 of them but they are all the same as this one):
Code: <?php
session_start();
$username = $_SESSION['username'];
$password = $_SESSION['password'];
include 'database_connect.php';
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$sql = mysql_query($sql) or die(mysql_error());
$count = mysql_num_rows($sql);
if ($count !== 1) { header("location: login-fail.php"); }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>PHP generated</title>
</head>
<body>
<?php echo $username . " <p>welcome to Content Manager</p>" ?>
<a href="admin-site-manager.php">Site Manager</a>
<a href="admin-account-manager.php">Account Manager</a>
<br/>
<a href="logout.php">Logout</a>
</body>
</html>
And this is logout.php
Code: <?php
session_start();
session_destroy();
header("location: index.php");
?>
So my questions are:
1. Whats wrong with this script, it works great, but logout is not working, when i click logout, it sends me to index.php, but if I enter URL of "secured" page it show me that page and tells me Im loged in :/. So i gues my logout.php is not working. I guess that after 24 minutes it wouldnt show me secure page anymore but i didnt wait that long. In documentation it writes that it takes 24 minutes for session to compleatly destroy, if we dont change php.ini file.
2. To secure pages so only registred users can acess them, like I did now, what is better, Sessions, or Cookies, or is there any way to combain them? Is it ok to use only sessions like I did? Is it secure, and what would could I get if I use cookies too. Can someone explain me when should I use Sessions and when Cookies?
3. About Cookies encryption, what is the best way to encrypt a cookie, so if Im sending $password from one page to another and store that password in a cookie, how to secure it from users to see it? What is the best way to do that?
No comments posted yet
Your Answer:
Login to answer
344 
49 
Other forums
Displaying returned XML in another PHP page
I have an online payment form that will return XML given if a payment is successful or declines. I
PHP Multiples of 2, Show posts...not working (wordpress)
I have been using this code to show div.example with 6 li columns inside it, each li is a post with
Changing color in GD via variable?
Hey guys, I'm new here. x)
I'm very much a noob when it comes to PHP, but I'm trying to learn
Wierd if else problem
Hi guys,
this probably aint wierd for you, but it seems like php is playin up to me. may b i
my two tables
table1 : col1 = topicid , col2 = topic
table2 : col1 = sentid, col2 = sentence
Cod
Need a fuction to count entries in a field
Hi
I need a fuction to count how many times a email address is entered in to a field.
I ma
Logging and nologging bulk insert
Hi,
oracle version: 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
unoconv doc convert to pdf code prob
PHP/5.3.1
Hi. I am trying to use this code to convert docs to .pdf utilizing unoconv. Howe
Looping Problem
I've got a client that has a database with about 200 events at any given time. I'm trying to loop t
Using Microsoft Exchange Server with PHP
Hi,
I wanted to know if its possible to fetch email attachments from the exchange server usin
