Persistent sessions in PHP

Question

I've got an application that needs a persistent cookie and I'm doing my best to follow best practices (such as The definitive guide to form-based website authentication), but I've run into a problem for which I haven't been able to track down a solution.

Here's my code, at the moment:

// Valid user
if ($validuser) {

  // Initiate the session and remove any existing ones - also create the GUID and hashed 
  session_start();
  $guid = uuid();
  $hashedguid = $pwdHasher->HashPassword($guid);
  if (isset($_SESSION['mb_session'])) {
    unset($_SESSION['mb_session']);
  }

  // Look for existing cookie and split the two parts (uuid::email), then empty existing cookie
  if (isset($_COOKIE['mb_session'])) {
    $id_vals = explode('::',$_COOKIE['mb_session']);
    setcookie('mb_session', '', time() - COOKIE_EXP_TIME);
    // Remove any existing sessions/data
    $params = array(array('value' => $id_vals[0], 'type' => 's'), array('value' => $user[0], 'type' => 'i'));
    db_query('DELETE FROM sessions WHERE sid = ? AND uid = ?', $params, false, false);
    $params = array(array('value' => $id_vals[0], 'type' => 's'));
    db_query('DELETE FROM sessiondata WHERE sid = ?', $params, false, false);
  }

  // If remember me was selected, set the cookie and 30 day expiration
  if (isset($_POST['remember_me'])) {
    setcookie('mb_session', $guid . '::' . $_POST['email_address'], time() + COOKIE_EXP_TIME);
  }

  // Save session to DB
  $params = array(array('value' => $guid, 'type' => 's'), array('value' => date('y-m-d H:i:s'), 'type' => 's'), array('value' => $user[0]['uid'], 'type' => 'i'));
  db_query('INSERT INTO sessions (sid, modified, uid) VALUES (?, ?, ?)', $params, false, false);

  // Now set the session variable
  $_SESSION['mb_session'] = $guid;
  $_SESSION['mb_session_user'] = $user['0']['uid'];
  $_SESSION['mb_session_modified'] = time();
  $_SESSION['mb_session_logged_in'] = true;
}
// Invalid user, redirect with error
else {
  header('Location: ' . $redir . '?e=5');
  exit();
}

The problem that I'm running into is that because setcookie() doesn't take effect until the following page, there's a disconnect between the value of $guid that gets added to the database (fired on this page) and that which gets added to the cookie. For example, if I log in and then simply print the values of $_SESSION['mb_session'] and $_COOKIE['mb_session'] I get two different GUIDs -- if I log in a second time, $_SESSION['mb_sesison'] gets a new value and $_COOKIE['mb_session'] gets the GUID from the previous run.

The end result of this is that I'm unable to properly clear out and reset a user's cookie.

I hope this makes sense to someone because it doesn't make much sense to me. Thanks to anyone who can point me in the right direction.

Answer 1

Disregard -- somehow there was an old cookie that was just not deleting from my browser so I effectively had two cookies for the same application. Clearing out that old one combined with some degree of tinkering seems to have solved the problem.