I was recently implementing a persistent login feature and stumbled across a website that did it in a more unique way, seemingly more secure: Persistent Login Cookies Best Practice. I thought it was a smart way to use cookies and decided to use it.

Now, the way IÂ set my system up was that someone would enter a username and password, which it validates and then sends a request to my MySQL database to make sure that it matches. Upon matching, it sets a cookie using the method mentioned above.

One things I do is I like to use includes to store variables procedures, etc. I always, always, store database connection data in an include. I don’t like to have any data on a page where someone in a passing glance at my screen could get that information, or something of that nature. So, just like any other page, I included the database connection, sent the queries out, then tried to set cookies.

I received the error “headers already sent out”, pointing to my database connection include. This lead me to believe that the functions themselves sent out headers, and so I would have to some weird way of settings cookies like reading another page with it as a query string and a lot of unneeded complexity would be added.

I decided to mention my problem to an ASP.NET programmer, who didn’t use cookies much and we ended up arguing because he wasn’t understanding my problem. In a fit of frustration, I replaced the contents of the include with the call to the include – meaning the database connection data was now on page.

It worked.

Why did this work? I didn’t know. This led me to believe that including a file sent out headers. So, to prove my point, I included another file.

It still worked.

I then thought because the other include I was using only contained variables, and the database connection include called a function, that you couldn’t call a function within an include, because that would send headers out.

Wrong again!

I did more tests and finally gave up trying to exclude the database login information in an include. I still don’t understand exactly why, I even tried to store just the variables of the information and then do the calls in the program, which didn’t work.

I continued with my work, going on to other things, and had the magnificent thought, why don’t I put the setcookie (PHP function) in with the database calls in an include file? This will save me extra code and will keep the database information secure — if it works.

It worked!

In conclusion, if you need to set cookies after making a database call and would like to keep your database login information secure, use some sort of of function, either within a class or just a function that will make the call for you.

-Kerry

(No Ratings Yet)

 Loading ...

This entry was posted on Monday, January 21st, 2008 at 2:17 pm and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.