PHP and cookies (and milk!) - probably a simple error

Question

mrcb 0 Newbie Poster

15 Years Ago

So I have a simple login + set cookie script. After checking to see if the supplied credentials are in the db, the script sets a cookie. After this, the script forwards the user to a password protected page.

I know the login + cookie placing script works fine. When I try the wrong credentials it fails like it should and when I enter the right credentials it sets a cookie (i can see it in my cookies on my browser).

The problem comes when I try to read the cookies back to make sure a user is credentialed for a certain page.

Here is my cookie-reading part of the script:

<?php
$user = $_COOKIE['user']; //gets the user from the cookies
$pass = $_COOKIE['pass']; //gets the pass from cookies
include("connect.php"); // connects to our database

$login = mysql_query("SELECT * FROM members WHERE username='$user' AND password='$pass'") or die(mysql_error()); //selects info from our table if the row has the same user and pass that our cookies do
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
  header("Location: index.php");  //redirects to our login page
  die(); //stops the page from going any further
}
?>

And, for reference, this is the cookie placing part of the other script:

if($count==1){
 setcookie("user", $myusername, time()+3600);//sets our user cookie
 setcookie("pass", $mypassword, time()+3600);//sets our pass cookie
 header("Location:../index_pinit.php");
  
}
else {
	header("location:../oops.html");
}

What am I doing wrong? Why can't I read the cookies back?

php

6 Contributors
9 Replies
86 Views
3 Days Discussion Span
Latest Post 15 Years Ago Latest Post by codejoust

cwarn23 387 Occupation: Genius

15 Years Ago

Try making this your second page and see if any header errors are reported when the cookies are set.

if($count==1){
 setcookie("user", $myusername, time()+3600);//sets our user cookie
 setcookie("pass", $mypassword, time()+3600);//sets our pass cookie
 //header("Location:../index_pinit.php");
  
}
else {
	header("location:../oops.html");
}

haggis-man 0 Newbie Poster

15 Years Ago

Bear in mind that some users may choose to set their browsers to accept or decline cookie requests.

I don't have the whole picture from what you've entered but you may find that $_SESSION variables will do the job for you instead. They have super-global scope.

cwarn23 387 Occupation: Genius

15 Years Ago

However sessions also use cookies unless you embed the sesssion id in the url.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Kruptein 15 Posting Whiz in Training · Answer 1 · 2009-09-28T15:36:09+00:00

I would use sessions instead actually, they are more secure as cookies in my opinion, you can read all data cookies send in your browser, but sessions are a bit harder to read becuase they are encoded. They are actually encoded cookies, ...

cwarn23 387 Occupation: Genius Team Colleague Featured Poster · Answer 2 · 2009-09-28T17:04:00+00:00

I would use sessions instead actually, they are more secure as cookies in my opinion, you can read all data cookies send in your browser, but sessions are a bit harder to read becuase they are encoded. They are actually encoded cookies, ...

I agree

Tekkno 1 Junior Poster · Answer 3 · 2009-09-28T21:42:06+00:00

So in your connect.php script, after your query, put something like:

$_SESSION['user'] = $row['user'];
$_SESSION['pass'] = $row['pass'];

Then in your login script, replace

$user = $_COOKIE['user']; //gets the user from the cookies
$pass = $_COOKIE['pass']; //gets the pass from cookies

With

$user = $_SESSION['user'];
$pass = $_SESSION['pass'];

Then in your logout script unset the session.

cwarn23 387 Occupation: Genius Team Colleague Featured Poster · Answer 4 · 2009-09-29T07:28:15+00:00

So in your connect.php script, after your query, put something like:
$_SESSION['user'] = $row['user'];
$_SESSION['pass'] = $row['pass'];
Then in your login script, replace
$user = $_COOKIE['user']; //gets the user from the cookies
$pass = $_COOKIE['pass']; //gets the pass from cookies
With
$user = $_SESSION['user'];
$pass = $_SESSION['pass'];
Then in your logout script unset the session.

I would never do it that way in case the session was somehow hacked. Instead only store the username in the session and validate the password with $_POST['pass'] . After that has been validated set $_SESSION['user'] to the username. Then to check if the person is logged in use if(isset($_SESSION['user'])) . But never store a password or even a hashed password in a session or cookie even though sessions are server side. It's just good practice.

Kruptein 15 Posting Whiz in Training · Answer 5 · 2009-09-29T20:45:56+00:00

Kruptein 15 Posting Whiz in Training

15 Years Ago

I agree with cwarn23

codejoust 8 Junior Poster · Answer 6 · 2009-10-01T08:32:24+00:00

I'd md5 the username and password (creating a 'key'), or hash the user email, and store that in the session instead of 1 using an unsecured cookie, or 2, using an unsecured username and password.
Beware that this method is very insecure and allows for SQL injection hacks. Run a mysql_real_escape on the query, or use the mysqli prepared statements feature to prevent this.