PHP Cookies, Sessions and Authentication
Download as PPT, PDF11 likes10,445 views
The document provides an overview of sessions, cookies, and authentication mechanisms in PHP, detailing how sessions are created, managed, and their lifecycle. It discusses the importance of session management for user authentication and security, including cookie lifetime settings that determine when users are logged out. Additionally, it highlights potential security concerns and best practices to maintain user sessions safely.
![// set a flag $_SESSION[‘authenticated’] = true; $_SESSION[‘loggedIn’] = true; // save something useful $_SESSION[‘userId’] = 123; $_SESSION[‘userName’] = ‘jsmith’; Authentication 2.](https://image.slidesharecdn.com/php-cookies-sessions-and-auth-110526150223-phpapp02/85/PHP-Cookies-Sessions-and-Authentication-10-320.jpg)
PHP Cookies, Sessions and Authentication
- 1. (PHP) Sessions, Cookies, & Authentication Gerard Sychay #tek11 05/26/2011
- 2. Gerard Sychay. Zipscenemobile.com Cincy Coworks Introduction 0.
- 3. 0. Introduction This is Henry
- 5. Introduction 0. Sessions Authentication Keep Me Logged In Security
- 6. Sessions 1. 1. initial request 2. create new session ID 3. create session file named with ID 4. store ID in ‘ PHPSESSID’ cookie
- 7. Sessions 1. 2. find file with name matching session ID 3. read session data from session file read session ID from PHPSESSID cookie 4. respond using session data
- 8. Sessions 1.
- 9. Authentication 2. Sessions… what are they good for?
- 10. // set a flag $_SESSION[‘authenticated’] = true; $_SESSION[‘loggedIn’] = true; // save something useful $_SESSION[‘userId’] = 123; $_SESSION[‘userName’] = ‘jsmith’; Authentication 2.
- 12. Authentication 2. “ You know that thing that they have?”
- 13. Specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means “until the browser is closed.” Defaults to 0. Authentication 2. session.cookie_lifetime
- 14. Specifies the number of seconds after which data will be seen as ‘garbage’ and potentially cleaned up. Garbage collection may occur during session start. Defaults to 1440 seconds. Authentication 2. session.gc_maxlifetime
- 15. Authentication 2. // 24h session.cookie_lifetime = 86400; // 24h session.gc_maxlifetime = 86400;
- 17. Authentication 2. session.cookie_lifetime Absolute expiration time session.gc_maxlifetime Maximum idle time
- 18. Authentication 2. session.cookie_lifetime = 0; // default session.gc_maxlifetime = 1440; // default Example Henry: Never closes his browser Requests pages every 20 minutes or so. Stays logged in!
- 19. Authentication 2. session.cookie_lifetime = 0; // default session.gc_maxlifetime = 1440; // default Example Henry: Leaves his browser open Takes a 30 min. snack break Session garbage collected – logged out!
- 20. Authentication 2. session.cookie_lifetime = 3600; // 1 hr session.gc_maxlifetime = 1440; // default Example Henry: Leaves his browser open Takes a 30 min. snack break Session garbage collected – logged out!
- 21. Authentication 2. session.cookie_lifetime = 3600; // 1 hr session.gc_maxlifetime = 3600; // 1 hr Example Henry: Leaves his browser open Takes a 45 min. snack break Works for 30 mins. Session cookie expires – logged out!
- 22. Oh yeah, what was I trying to do? Authentication 2.
- 24. Keep Me Logged In 3. do? What would
- 25. Keep Me Logged In 3. 1. initial login 4. store auth token in ‘my_auth’ cookie 3. store user’s unique auth token in DB 2. create new auth token for user
- 26. Keep Me Logged In 3. 1. read auth token from ‘my_auth’cookie 2. lookup auth token in DB 4. Store new session ID and auth token in cookies 3. if valid token, log user in
- 27. Keep Me Logged In 3.
- 28. What about security? Security 4.
- 29. Security 4.
- 31. Security 4.
- 32. I CAN HAZ SSL? Security 4.
- 34. 4. Security
- 35. @hellogerard http://straylightrun.net http://github.com/hellogerard/tek11 © 2011. Some rights reserved. Thanks! 5. Enjoy the wi-fi!