-1

I am setting both a COOKIE and SESSION for users when they login/signup. A SESSION for more usability and a COOKIE for persistence. When a new user signs up for my website, I'd like to redirect them to their profile. I need to create a SESSION and COOKIE variable as soon as they sign up to do this. Here is my solution:

    $query2= "INSERT INTO users (fname, lname, email, password) VALUES   
 ('$fname', '$lname', '$email', '$password1')";
    mysqli_query($connect, $query2)
        or die('error with query');
    session_start();
    $query3= "SELECT * FROM users where email= '".$email."' AND password= 
'".$password1."'";
    $result2= mysqli_query($connect, $query3);
    $row= mysqli_fetch_array($result2);
    $_SESSION['id'] = $row['user_id']; 
    setcookie('id', $row['user_id']);
            echo $_SESSION['id'];
            echo $_COOKIE['id'];
    echo "You are now logged in.";

I first Insert the new row of data. Then I recall it to create the SESSION and COOKIE variable. But, here is my problem, whenever I echo the COOKIE variable it's value is always one less than what the actually value should be. The SESSION is okay though. What am I doing wrong? What could be the problem. I created another page.php to just echo out the SESSION and COOKIE variables and they are both correct there. Thanks.

user1592953
  • 135
  • 2
  • 9
  • 2
    As a side note, you do realize there are cookie editors so that the user in this case can change the cookie to any user id and be logged in as them? – Joachim Isaksson Aug 27 '12 at 17:54
  • how do I prevent that from happening? – user1592953 Aug 27 '12 at 17:55
  • dont save this things into cookie – Ivan Hušnjak Aug 27 '12 at 17:56
  • @IvanHušnjak what should be stored in a cookie? – Kermit Aug 27 '12 at 17:57
  • Well how do I provide persistence for users? – user1592953 Aug 27 '12 at 17:58
  • @njk general un-harmful data like view settings (table sorting info, selected items), cart data , etc... although it is far better to use session for that anyway. Remember that cookie can hold at most 4kB of data, sessions have no limit, and you can save even objects into it. – Ivan Hušnjak Aug 27 '12 at 17:59
  • You're using `mysqli`, which is great, but you're using it completely the wrong way and have created numerous *severe* SQL injection bugs. You should be using [placeholders](http://bobby-tables.com/php) for **ANY** and **ALL** data being put into your query. – tadman Aug 27 '12 at 18:01
  • @Jaitsu $_SESSION variables expire when the user logs out. – user1592953 Aug 27 '12 at 18:09
  • @user1592953 so why do you need to know the user ID if they're logged out? if you're creating "remember me" functionality then read [this](http://stackoverflow.com/a/3128997/603256) – JamesHalsall Aug 27 '12 at 18:40

2 Answers2

5

The value of cookie that you set using setcookie is not displayed on the same page.

The way cookie works is that the data that you set in cookie is sent to the browser for saving it to your local pc. The browser makes it available to your page in the $_COOKIE array the next time your browser connects to the server.

Hence using $_COOKIE immediately after setting it will not work.

Session on the other hand can be used immediately after you set it using $_SESSION.

Gunjan Karun
  • 765
  • 1
  • 8
  • 18
1

$_COOKIE contains cookies sent in the request. Calling setcookie() won't change $_COOKIE -- until they send the next request. You're seeing the last request's cookie. ;)

EthanB
  • 4,239
  • 1
  • 28
  • 46
  • So, I'm fine to set it upon set-up like I am already doing? Then just call it on the profile script? – user1592953 Aug 27 '12 at 17:57
  • `$_SESSION` lasts as long as their browser is open. It will work just fine for profile redirection. You only need `$_COOKIE` for long-term user identification (but don't store confidential user info in cookies). – EthanB Aug 27 '12 at 18:04