Authenticate the user before you generate an auth-token(cookie)... so write a query to pull the id from the user table where email/password matches... so only if the query returns an id then you know the user exists and is "authenticated", therefore you can now generate a auth-token(cookie) setting it to the usrid...
However setting the cookie to the usrid is not a good practice! since anyone on the client-side could easily set/pass a cookie with a number in a POST request... you need implement some mechanism of encryption to generate a "session" which you can then use as a unique hack-proof user identifier.
I wrote a simple encryption function in the code below which you can use.
<?php
//CHECK IF POST DATA IS EMPTY IF SO KILL THE SCRIPT
if(empty($_POST['email']) || empty($_POST['pass'])){
//echo("error msg");
die();
}
$mysqli = new mysqli('localhost', 'root', 'root', 'accounts');
$pass = md5($_POST['pass']);
$query = "SELECT `id` FROM `users` WHERE `email` = '"
. $mysqli->real_escape_string($_POST['email'])
. "' AND `password` = '"
. $mysqli->real_escape_string($_POST['pass']) . "'";
//INITIATE DB REQUEST
$result = $mysqli->query($query);
//SELECT ID(OBJ) FROM THE RESULT OBJECT
$usrid = $result->fetch_object()->id;
//IF $USRID IS TRUE... USER DOES EXIST (AUTHENTICATED)
if ($usrid) {
$sesh = create_session($usrid);
update_session($usrid, $sesh);
setcookie("usersesh", $sesh, 0,"/");
} else {
//echo("error msg");
}
$result->free();
$mysqli->close();
function create_session($usrid) {
$time = microtime();
$hash = substr($time, 2, 3);
$key = $usrid * $hash;
$sesh = md5($key);
return $sesh;
}
function update_session($usrid, $sesh) {
$mysqli = new mysqli('localhost', 'root', 'root', 'accounts');
$query = "UPDATE `users` SET `session` = '"
. $mysqli->real_escape_string($sesh) . "' WHERE `id` = '"
. $mysqli->real_escape_string($usrid) . "'";
$mysqli->query($query);
$mysqli->close();
}
?>