php – Handling user sessions on website using $_COOKIE and $_SESSION

So I am building a website. It will be only used inside our small company and it’s not made for public use.

What I want to achieve is the ability for user to maintain session after sign in for a prolonged period of time while also maintaining some sense of security and common sense.

My website building experience is 2-3 weeks of building things with HTML/PHP/Bootstrap/JS where I mostly just lurk around and do research.

So far, from what I have read, tried and found I was able to get a solution working, yet what I would like is for someone to take a look and tell me what is good and what is bad with my approach and how can I improve this.

This is the file I created for working with Cookies and Sessions. This file will be included using require() on each and every page that can be accessed by web-site navigation (that means this won’t be used on any ‘back-end’ files because that makes no sense I think).

I will explain my thought process below in the comments to code.

<?php
// Firstly, we check if any session is set, because if the session is set, 
// then the user can still navigate the website and we don't need to do anything
if (!isset($_SESSION('id'))) {

    // The session is not set.
    // Check if Cookie with pre-defined name that I thought of for my web-site exist
    if (isset($_COOKIE('info'))) {

        // Okay. We have no session but we have a cookie. Let us start a session then.
        
        // Getting hold of database handler.
        require_once(__DIR__ . '/../dbh/dbh.php');

        // Preparing statement for accessing DB.
        $stmt = $connection->prepare("SELECT * FROM `users` WHERE `username`=?");

        // Information inside my Cookie is stored in an JSON encoded string, so we decode it.
        $info = json_decode($_COOKIE('info'), true);

        // Assign extracted information to variable for ease of use
        $username = $info('username');
        $password = $info('password');
        
        // Bind parameters and execute the statement we prepared
        $stmt->bind_param('s', $username);
        $stmt->execute();
        
        // Get results of statement execution
        $result = $stmt->get_result()->fetch_assoc();

        // The result may be `NULL` if the username we tried to find does not exist. 
        // So if the username does not exist, then we can't start the session.
        if ($result !== NULL) {
            // The username exists so we can proceed further.

            // Assign `username` and `password` we got from query to variables for ease of use
            $db_username = $result('username');
            $db_password = $result('password');

            // Here we do an extra step of verifying user`s credentials just to be 100% sure
            if (strcmp($username, $db_username) == 0 && strcmp($password, $db_password) == 0) {
                // Credentials are identical, so we can safely start a session for this user.

                session_start();
                $_SESSION('id') = $result('id');
                $_SESSION('username') = $result('username');
                $_SESSION('password') = $result('password');

                // JSON encoding user's credentials for storing in a cookie.
                $info = array(
                    'username' => $username,
                    'password' => $password
                );
                
                // We are going to set a refreshed cookie for to make sure 
                // that this cookie expires only when the user doesn't 
                // visit the website for a month.
                setcookie('info', json_encode($info), time() + 2592000);
            }
        }

        // This is an interesting part. 
        // This `if` statement was created to avoid endless loop when user initially enters the website. 
        // Here we check if the page is `index.php` and if it is, then we don't need to redirect user.
        if ($_SERVER('REQUEST_URI') !== '/' && $_SERVER('REQUEST_URI') !== '/index.php') {
            header("Location: http://" . $_SERVER('HTTP_HOST') . "/index.php");
            exit();
        }
    }

    // Same thing as above, just in two different `if` statements.
    if ($_SERVER('REQUEST_URI') !== '/' && $_SERVER('REQUEST_URI') !== '/index.php') {
        header("Location: http://" . $_SERVER('HTTP_HOST') . "/index.php");
        exit();
    }
}