That is, once the login credentials are checked and verified, what happens next so that on subsequent page loads (and page visits from other already logged-in sessions) the visitor is securely confirmed to be valid and logged in?
Should one use a mix of $_COOKIE
and $_SESSION
? What specifically is stored in either so as to be secure?
Do you confirm both or just one (if so, which) against the DB on each page load?
The best guides I can find are at 8 and 10 years old:
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice
http://jaspan.com/improved_persistent_login_cookie_best_practice
surely there is something more current that I am just unable to find?
Any guidance would be supremely appreciated.
Thanks kindly