Re: Simple login form with cookies

"Jason Carson" <jason@xxxxxxxxxxxxxx> · Mon, 6 Jul 2009 02:01:49 -0400 (EDT)

> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson<jason@xxxxxxxxxxxxxx> wrote:
>>> Hello everyone,
>>>
>>> I am trying to create a PHP login script using cookies but am having
>>> some
>>> troubles. Here is my setup
>>>
>>> Â  Â  index.php -> authenticate.php -> admin.php
>>>
>>> I want a login form on index.php that allows me to login with my
>>> username
>>> and password and then passes $_POST['username'] and $_POST['password']
>>> to
>>> authenticate.php
>>>
>>> Then authenticate.php authenticates against a database of allowed users
>>> (Which I already have setup and it works fine), if a valid user has
>>> entered the correct information then admin.php is loaded...
>>>
>>> header("location:admin.php");
>>>
>>> ...the admin.php code would look something like the following..
>>>
>>> Code: [Select]
>>> <?php
>>> if (isset($_COOKIE['username'])) {
>>> echo "success!";
>>> } else {
>>> echo "Failure";
>>> }
>>> ?>
>>>
>>> So basically I think I need to create a cookie from index.php OR
>>> authenticate.php and then pass the information to admin.php.
>>> I set the cookie like this...
>>>
>>> setcookie("Admin", $username);
>>>
>>> Which file(index.php OR authenticate.php) do I create the cookie and
>>> how
>>> do I access the information in the cookie on admin.php?
>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>> I finally got it working. I needed to setcookie() in login.php. Also,
>> the
>> names of the cookies(Using setcookie()) where wrong (The names where
>> "Admin" when they should have been "adminuser" and "adminpass") Once I
>> fixed that then the following worked in admin.php...
>> <?php
>> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) {
>> echo "Success";
>> } else {
>> echo "Failed";
>> }
>> ?>
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> You're not storing anything usable in the adminpass cookie, are you?
> It sort of sounds like you're storing a password, or even a passhash,
> in the cookie and you might want to rethink what that cookie contains
> to prevent session hijacking.
>
Yeah, I am storing an unencrypted password in the cookie. Should I encrypt
it, if so how, if not what should I do?

I am new to programming and PHP web development so I am not aware of all
the security problems that can occur.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php