Solved

PHP Cookie

Posted on 2003-11-14
5
374 Views
Last Modified: 2008-03-06
I have a some PHP code I just installed to create a password protection scheme for a site. I downloaded it here: http://www.webworkzware.com/index.php/page/password_protection. The problem is that the script is supposed to set a cookie so that the user does not have to continually log in, but for some reason it will not work and I get an error that says I must set my browser to accept cookies - even though I know it is set to accept all cookies. Below is the code from the access_control.inc that I include in every directory I want to protect. Anyone used this before? I know its a longshot, but I am desperate! Thanks.  



<?
include ("config.inc");
include ("errors.inc");
include ("common.inc");
include ("connect.inc");




while (list($var, $val) = each ($HTTP_GET_VARS))
{
IF ($var == "cookieid")
{
echo ("You can not pass login parameters via GET operations.");
exit();
}
}

reset($HTTP_GET_VARS);




while (list($var, $val) = each ($HTTP_POST_VARS))
{
IF ($var == "cookieid")
{
echo ("You can not pass login parameters via POST operations.");
exit();
}
}

reset($HTTP_POST_VARS);




IF (isset($uid) AND !isset($cookieid))
{
$grabuser = "SELECT recID FROM user WHERE username = '$uid' AND password = '$pwd'";
$result = @mysql_query($grabuser);
sql_query($result, "$errors[03]");

IF (mysql_num_rows($result) == 0)
{
error ("$errors[04]");
include ("login_form.inc");
exit();
}

ELSE
{
$userid = @mysql_result($result,0,"recID");

$cookie_setter = @setcookie ("cookieid", $userid, time()+$maxlifetime);

IF (!$cookie_setter)
{
error ("$errors[05]");
}

ELSE
{
?>
<META HTTP-EQUIV=Refresh CONTENT="2; URL=<? echo ("$PHP_SELF"); ?>">

Please hold one second while we process your login...<br>
If this page does not refresh in 3 seconds, <A HREF="<? echo ("$PHP_SELF"); ?>">click here</a>.
<?
}

}

}


ELSE IF (!isset($uid) AND !isset($cookieid))
{
include ("login_form.inc");
exit();
}


?>
0
Comment
Question by:sundevil67
5 Comments
 
LVL 14

Accepted Solution

by:
ThG earned 25 total points
ID: 9749879

Your script looks quite outdated, maybe it's only supposed to work on older PHP versions. You should try doing this cookies stuff yourself as it's trivial to do. The common way to go is, store username/password in a cookie, encrypting the password with the md5() function. You can compare the sent password by md5()'ing again your local password.
0
 
LVL 11

Assisted Solution

by:Zontar
Zontar earned 25 total points
ID: 9755545
Why not just get and set a cookie variable named something like $_COOKIE["login"] or $_COOKIE["loginid"], or better yet use $_SESSION which will work whether or not the user has cookies turned on in the browser?

Also you can use outbut buffering so that you can echo output, then use header() afterwards. In fact, I wouldn't echo anything unless the login fails, I'd just immediately redirect using header("Location: ...") or else post back to the same page the user logged in from.
0
 
LVL 6

Expert Comment

by:aolXFT
ID: 9760020
That looks like a very badly written script. I personally suggest you forget about it and use PHP's builtin session management.

0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question