What is the correct and safe/secure way to keep a user logged in? cookies? session? PHP && MYSQL
First, let me tell you this. Nothing is 100% secure. Nothing is air tight, and nothing is sacred. If motivated enough, an attacker will break every server-side defense you may put (unless you are using HTTPS, which is a different story).
You may use cookies, but cookies are highly exposed and easily modified. Never store private data, or access levels in a cookie. As it is easily stolen/modified by an attacker.
Sessions are not 100% safe either. The session ID, which the server uses to identify the client, is sent by one of 2 ways. a $_GET variable (bad), or a cookie (better, but still pretty bad). Meaning, if you are logged in as the administrator, over an unsecured WiFi, a skilled attacker (and by skilled I mean a pr0 haxx0r that downloaded a simple HTTP sniffer) can easily steal your SESSION ID. And while not getting your password, the server will wrongly identify the attacker as you, and grant him any access you may have/had.
So what to do? Sessions are on most cases safe. Advise your users to not log in under an unsecured network (buses, internet cafes, etc.). If you want to allow your user authorization to persist over time, a cookie is required. I usually use a 2 cookie system if I need that:
userid=12345hash=password_hash($userid . $hashed_password, PASSWORD_DEFAULT)Then I have something to match against, and the user's details weren't revealed.
But like I said, in the end of the day, if you really REALLY wanted to secure your users, in above to everything else written in this answer, get yourself HTTPS.
I would use a session.
To help a little on security, once a users credentials have been verified use session_regenerate_id - since the session id is what is passed across in a cookie this is important if someone is sniffing around while login in processed.
DO NOT STORE any information in the session pertaining to access credentials - a userId is often sufficient; personally I build a user object which I store in the session (these get auto serialized/unserialized between request - but you can read on that independantly).
IF you wish to set a cookie so the user doesn't have to login on the next visit perhaps store the userId and an autogenerated token which can be checked against in the database (or similar) - I would add extras to the checking too - like storing the last ipaddress with the token to check as well, if they don't match then ask for login once more.
There are quite a few approaches that can be taken - I don't offer all/'the best' - get your code reviewed by people in a php community - you learn more that way.
If a person has a login and password, this can be set as a cookie in their browser so they do not have to re-login to your website every time they visit. You can store almost anything in a browser cookie. The trouble is that a user can block cookies or delete them at any time. If, for example, your website's shopping cart utilized cookies, and a person had their browser set to block them, then they could not shop at your website.
When you store data in cookies, you must be absolutely certain that users can’t tamper with the data in any way. There’s no way to keep users from altering the data in a cookie; it’s absurdly easy. So, in order to ensure that your website doesn’t accept cookies containing altered data, you need to either encrypt the cookie values or sign them with a hash that allows you to verify their integrity.