I've got an application that needs a persistent cookie and I'm doing my best to follow best practices (such as The definitive guide to form-based website authentication), but I've run into a problem for which I haven't been able to track down a solution.
Here's my code, at the moment:
// Valid user
if ($validuser) {
// Initiate the session and remove any existing ones - also create the GUID and hashed
session_start();
$guid = uuid();
$hashedguid = $pwdHasher->HashPassword($guid);
if (isset($_SESSION['mb_session'])) {
unset($_SESSION['mb_session']);
}
// Look for existing cookie and split the two parts (uuid::email), then empty existing cookie
if (isset($_COOKIE['mb_session'])) {
$id_vals = explode('::',$_COOKIE['mb_session']);
setcookie('mb_session', '', time() - COOKIE_EXP_TIME);
// Remove any existing sessions/data
$params = array(array('value' => $id_vals[0], 'type' => 's'), array('value' => $user[0], 'type' => 'i'));
db_query('DELETE FROM sessions WHERE sid = ? AND uid = ?', $params, false, false);
$params = array(array('value' => $id_vals[0], 'type' => 's'));
db_query('DELETE FROM sessiondata WHERE sid = ?', $params, false, false);
}
// If remember me was selected, set the cookie and 30 day expiration
if (isset($_POST['remember_me'])) {
setcookie('mb_session', $guid . '::' . $_POST['email_address'], time() + COOKIE_EXP_TIME);
}
// Save session to DB
$params = array(array('value' => $guid, 'type' => 's'), array('value' => date('y-m-d H:i:s'), 'type' => 's'), array('value' => $user[0]['uid'], 'type' => 'i'));
db_query('INSERT INTO sessions (sid, modified, uid) VALUES (?, ?, ?)', $params, false, false);
// Now set the session variable
$_SESSION['mb_session'] = $guid;
$_SESSION['mb_session_user'] = $user['0']['uid'];
$_SESSION['mb_session_modified'] = time();
$_SESSION['mb_session_logged_in'] = true;
}
// Invalid user, redirect with error
else {
header('Location: ' . $redir . '?e=5');
exit();
}
The problem that I'm running into is that because setcookie() doesn't take effect until the following page, there's a disconnect between the value of $guid that gets added to the database (fired on this page) and that which gets added to the cookie. For example, if I log in and then simply print the values of $_SESSION['mb_session'] and $_COOKIE['mb_session'] I get two different GUIDs -- if I log in a second time, $_SESSION['mb_sesison'] gets a new value and $_COOKIE['mb_session'] gets the GUID from the previous run.
The end result of this is that I'm unable to properly clear out and reset a user's cookie.
I hope this makes sense to someone because it doesn't make much sense to me. Thanks to anyone who can point me in the right direction.
