Sorry for the newbie question! I’m making a small website that allows users to create their own accounts. It’s not a banking system, and it’s unlikely that someone would want to hack it. That said, I am trying to make it reasonably secure, as there are plenty of bored script kiddies out there.

Could someone describe a basic workflow for a user logging in and having a cookie set that will keep them logged in for 30 days?

At the moment I have the following:

1. Validate and sanitize inputted data.

2. Check supplied credentials against bcrypt hashed password in DB.

3. If correct then call "Login" function.

4. Login function:

   a. Delete any session data from DB with userID (table with two columns: SessionString and UserID).
   b. Add new session data to DB (newy random generated string and UserID).
   c. Write random generated string and UserID to cookie.
   d. Set $_SESSION("UserID") with $userID.

But although the two cookies are being created and written to, the $_SESSION("UserID") remains blank… I’m guessing because I can’t write to $_SESSION any time I like?

And even once that’s fixed, how do I use the data stored in the cookie to log a user in? I’m guessing I don’t want to go to the DB on every page load. And it will still require me to create a database object to see if the credentials in the cookie are ok. Is this the right way to this?

Once again, apologies for the newbie question!

UPDATE:
Yes, I do understand the difference between $_SESSION variables and a cookies. I also have session_start() at the top of every page (right after <php with no blank lines). $_SESSION("UserID") just remains blank.

Here’s the code from the top of the page:

<?php
session_start();

if(!isset($_SESSION['initiated'])) {
    session_regenerate_id();
    $_SESSION['initiated'] = true;
} 

Thanks for the help.