> On Mon, Jul 6, 2009 at 2:01 AM, Jason Carson<jason@xxxxxxxxxxxxxx> wrote:
>>> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson<jason@xxxxxxxxxxxxxx>
>>> wrote:
>>>>> Hello everyone,
>>>>>
>>>>> I am trying to create a PHP login script using cookies but am having
>>>>> some
>>>>> troubles. Here is my setup
>>>>>
>>>>> Â Â index.php -> authenticate.php -> admin.php
>>>>>
>>>>> I want a login form on index.php that allows me to login with my
>>>>> username
>>>>> and password and then passes $_POST['username'] and
>>>>> $_POST['password']
>>>>> to
>>>>> authenticate.php
>>>>>
>>>>> Then authenticate.php authenticates against a database of allowed
>>>>> users
>>>>> (Which I already have setup and it works fine), if a valid user has
>>>>> entered the correct information then admin.php is loaded...
>>>>>
>>>>> header("location:admin.php");
>>>>>
>>>>> ...the admin.php code would look something like the following..
>>>>>
>>>>> Code: [Select]
>>>>> <?php
>>>>> if (isset($_COOKIE['username'])) {
>>>>> echo "success!";
>>>>> } else {
>>>>> echo "Failure";
>>>>> }
>>>>> ?>
>>>>>
>>>>> So basically I think I need to create a cookie from index.php OR
>>>>> authenticate.php and then pass the information to admin.php.
>>>>> I set the cookie like this...
>>>>>
>>>>> setcookie("Admin", $username);
>>>>>
>>>>> Which file(index.php OR authenticate.php) do I create the cookie and
>>>>> how
>>>>> do I access the information in the cookie on admin.php?
>>>>>
>>>>>
>>>>> --
>>>>> PHP General Mailing List (http://www.php.net/)
>>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>>
>>>>>
>>>> I finally got it working. I needed to setcookie() in login.php. Also,
>>>> the
>>>> names of the cookies(Using setcookie()) where wrong (The names where
>>>> "Admin" when they should have been "adminuser" and "adminpass") Once I
>>>> fixed that then the following worked in admin.php...
>>>> <?php
>>>> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) {
>>>> echo "Success";
>>>> } else {
>>>> echo "Failed";
>>>> }
>>>> ?>
>>>>
>>>>
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>>
>>> You're not storing anything usable in the adminpass cookie, are you?
>>> It sort of sounds like you're storing a password, or even a passhash,
>>> in the cookie and you might want to rethink what that cookie contains
>>> to prevent session hijacking.
>>>
>> Yeah, I am storing an unencrypted password in the cookie. Should I
>> encrypt
>> it, if so how, if not what should I do?
>>
>> I am new to programming and PHP web development so I am not aware of all
>> the security problems that can occur.
>>
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> That's an enormous question without an easy, or even a correct answer.
> I'd start by googling around for "session hijacking." One of the
> things that's probably not PC to say, is don't learn to prevent
> session hijacking, learn to hijack sessions. Once you know how to
> hijack a session, you can audit your own code and fix the security
> holes.
>
> Although the best advice would probably be to find someone else's
> session implementation and use that, seeing as there's no real reason
> to recreate such a worn-in wheel.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
ok, I have two sets of scripts here. One uses setcookie() for logging into
the admin panel and the other uses session_start(). Both are working fine,
is one more secure than the other?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
