Should I use Both SESSION and COOKIE or Just COOKIE?

Question

I have a user login system in my site and I have a confusion. Currently I don't have the 'Remember Me' Checkbox in the User Login System. Currently I am using some thing like this to login the user.

$_SESSION['user_id'] = $_POST['user_id'];
$_SESSION['user_name'] =$_POST['user_name'];

But Now, I want to put a 'Remember Me' Checkbox and for that Purpose I need to use COOKIE. I want to know that What should be the procdure

If user checks the 'Remember Me' Checkbox I need to use COOKIE. 
But If user does not check the 'Remember Me' Checkbox should I use SESSION? or COOKIE?

Answer 1

Do not store the password in a cookie. Create a new random value that acts as the combination of username and password, and store it both in the cookie, and in your user database.

Requirements for this random value: It has to be unique (like username/password combos), and it has to be cryptographically random, not just "hash the current time" pseudo-random. Or rand(). Or mt_rand().

A request would try to continue a session. If unsuccessful, to authenticate the request first check if the remember-me cookie is present. This will trigger a lookup in the database, and a user might be found. This user must be logged in in this session.

Otherwise, ask for username and password.

Answer 2

Use $_SESSION

A session keeps its data such as the username and password on the server, and gives the user a cookie with a session ID in it, which tells the server which set of data belongs to which browser, its called a session cookie (there are other ways to store session ID's but that's out of scope). As long as the session cookie remains in the browser cache and valid (doesn't expire) they will remain logged in.

The "Keep me logged in" function could be implemented by extending the expiration of the session cookie. This is probably your safest option. But you will want to read up on session hijacking if you want to dig into that.

Take a peek here: http://php.net/manual/en/function.session-set-cookie-params.php

In particular:

session.cookie_lifetime

As it mentions it's value defaults to 0, which is until browser is closed. Make it a reasonable number of seconds, 86400 for 1 day (unless I'm to tired to math) and you will keep them logged in for the day unless the browser cache gets cleared (on close of browser is common-ish, but you cant do anything about that). I think the upwards cap is the max value of a signed integer, so: 2,147,483,647 / 86,400 = 24,855(ish) days. So lots if you need it.

Answer 3

You need to store SESSION ID somewhere. That can be either cookie or GET parameter glued to every GET request. Normally, cookie is used automatically when calling session_start().

Answer 4

For sessions you need cookies anyway because session ID is stored in cookie.

For "remember me" functionality you can extend session cookie lifetime (default 0 - expires at end of browser session). So, when logging user in, if "remember me" is ticked, set session cookie expires to some large time (say, 1 week) and if "remember me" is unticked, then set session cookie expires to 0 (at end of browser session).

Answer 5

with cookies you can do both but the datas will keep on the client side so you need to crypt datas.

with sessions you can only keep datas as long as user logged in.

so the answer is COOKIES