A question about PHP and Sessions

If you are really using PHP(BB3?) then you must have seen all the cookie and session controls in the ACP. If not go look it up.

i think you misunderstood me...

I'm writing my own code and my own site...

and as for the looking up part.. I looked and couldn't find a decent answer to this... this is why I'm asking here...

After user closed their browser or session expired (set from your php.ini) it is treated as garbage and waiting for garbage collector to cleanup the file. PHP handled on the backend.

Here's simple example I used, hope to clear things up.

Eg. If a user logged in with 'remember me' option turned on, I would create a chocolate.. erm cookie to hold their username and md5(password) data, along with desired expiry date. When they come back, I would just verify again username and md5 string. If every thing's good, log them in with new session.

Notes:
1. You don't need to continue same PHP session after they come back. Just create a new session if data is matched. The session I store is merely login data and to help verify across web pages.

2. Why I store username in cookie is because I could display their username on my page when they return. Of coz you can use User ID if you prefer.

3. MD5 is one way encryption, so I'm less afraid people would reverse engineer it. But don't store plain password. Cookie is a text file that user can access. Base64 it if you like.

4. You control how long the cookie expire. If expired, cookie will be deleted, and it will failed your authentication and thus user have to re-login.

5. My answer above is just for reference only to explain my concept on how to deal with this kind of problem. I suggest google more for more secure way to implement this.

Hope this helps.

thanks this explained some concepts, one thing thou... how do you add more then one info to the cookie? I taught they are meant to hold only one value...

just for the record i'm using the sha() function that provides 128 bit one way encryption... this is as safe as i can go online... if it was up to me i'd use 4096 bit encryption

A cookie array may be what you want:
PHP: setcookie - Manual

setcookie("cookie[three]", "cookiethree");
setcookie("cookie[two]", "cookietwo");
setcookie("cookie[one]", "cookieone");

// after the page reloads, print them out
if (isset($_COOKIE['cookie'])) {
foreach ($_COOKIE['cookie'] as $name => $value) {
echo "$name : $value <br />\n";
}
}

I have managed to come up with a script that solves my problems, i have managed to eliminate the sessions completely out of use and have managed to maintain security. All data is encrypted and the user can login after several months of absence with out any problems.

i'm currently in the phase of adding extra functionality to the script, who knows i might just sell it and make a fortune

Thanks for all your help, together you have all helped me to group all that knowledge and compress it into an out-of-the-box idea

Thanks guys