PHP Cookies

[
! Whitey !
]

I am trying to write a logging in and out script using PHP and cookies.

It logs a user in fine, but then they can't log out!

On the log in page basically it looks to see if there is a cookie on the users machine with their username and password, and if there is it take them directly to the members area.

When logout is clicked it is meant to modify the cookie so the time is in the past and therefore won't work because its expired.

But its just taking the user to the login page and then back to the members area.

Here is the code:

Log in page:

// Check to see if there is a login cookie
if(isset($_COOKIE['ID_my_site'])) {
// check username and password and if they match go to members area
// else show log in form

// if the login form is submitted
if (isset($_POST['submit'])) {
// check username and password is correct
// set the cookie
$hour = time() + 3600; // 1 hour (60 x 60)
setcookie(ID_my_site, $username, $hour);
setcookie(Key_my_site, $pass, $hour);
// redirect to members area
// else show log in form

Log out page:

	$past = time() - 120; // minus 120 seconds ago
$msg = "gone";
setcookie(ID_my_site, $msg, $past);
// redirect to log in page
header("Location: ../login.php");

After trying (almost) everything, I'm don't know if it's the "if(isset($_COOKIE['ID_my_site'])) {" part. Is this just checking there is a cookie and not checking if it is in date?!

If it is can someone tell me how I could check the cookie exists and is in date?!

Thanks,

Dave

 

[CrazeD]

I tried your code and it deletes the cookie just fine, I'm not sure what your issue is.

However, what you're doing is very insecure and very unwise. Never store an unencrypted password in a cookie. At the very least, at a small SHA1 algorithm to it so that it's not plain text. Anyone with a packet sniffer could grab these cookies and steal your login.

Also, you only need to make one cookie. Something like this:

// login.php

setcookie('login','username|password',time()+3600,'/');

// check login

$cookie = $_COOKIE['login'];

$cookie = explode ('|',$cookie);

$username = $cookie[0];
$password = $cookie[1];

However, this is also not very secure. The reason being is that if anyone copied your cookie, they are automatically logged in. Ideally you would want to make a MySQL sessions table and store the information that way.

Hope I helped.

 

[
! Whitey !
]

Hi,

Thanks for the post!

I was following the logging in script tutorial from the About.com website.

I modified it a bit and it never set the time back and logged you straight in again.

So this time I used exactly what they got on their site.

View it here

It seems to work in Firefox but in IE if you click logout it takes you to the login page, but if you type in members.php you can access it (this isn't meant to happen after you click logout is it?!)

Can anyone suggest another tutorial that works in both browsers and is secure?!

Thank You,

Dave

 

[CrazeD]

Hi,

Thanks for the post!

I was following the logging in script tutorial from the About.com website.

I modified it a bit and it never set the time back and logged you straight in again.

So this time I used exactly what they got on their site.

View it here

It seems to work in Firefox but in IE if you click logout it takes you to the login page, but if you type in members.php you can access it (this isn't meant to happen after you click logout is it?!)

Can anyone suggest another tutorial that works in both browsers and is secure?!

Thank You,

Dave

You're going to want to use some kind of sessions. Either use PHP's built in $_SESSION superglobal and session functions, or use a MySQL database (which I recommend).

Developing Custom PHP Sessions

Here's a good tutorial on making MySQL database sessions. This is the most secure and efficient way to do it.

 

[
! Whitey !
]

Hi,

Thanks for that CrazeD, I will try that later and let you know how I get on!

Dave