Cookies & Login !

[shadizon]

Hello , I read that Cookies are good way to transfer info between pages , So I wrote my own login script , but when I move to then next page it can't read the cookie that I made in the login php page !!

 <?phpfunction CheckLoginInDB($username,$password){	$con=mysql_connect('localhost','root','123');	mysql_select_db('users', $con);	if(!$con)	{		echo "Database login failed! PLease try again";		return false;	}  	$qry = "Select * from users.usrinfo  where usrlogin='$username' and usrpass='$password' ";	$result = mysql_query($qry);	$count = mysql_num_rows($result);	if( $count!=1 )	{		echo "Error logging in. "			."The username or password does not match";		return false;	}	return true;} 	if(empty($_POST['username']))	{		echo "UserName is empty!<br />";	  	}  	if(empty($_POST['password']))	{		echo "Password is empty!";		return false;		   }	$username = trim($_POST['username']);	$password = trim($_POST['password']);	if(!CheckLoginInDB($username,$password))	{		echo "Wrong Password !!";	}	else	{  	$cookieusr =$_POST['username'];	setcookie("user",$cookieusr,time()+36000);	echo "You Have logged in succesfully !!";  	} ?>

[birbal]

how do you using cookie in other page? your cookie will be available in $_COOKIE suprglobal array did you check that cookie set properly? using cookie in authentication is not safe. any one can make a cookie to pretend to be authenticated. cookie can be created or edited. safest way is to use sssion. session also use session cookie but it works differently than normal cookie. http://www.google.co...5Qwpe8N-DwIfHFQ

[westman]

try this...... at the top of every page after login userindex.php

<?phpsession_start(); // Must start session first thingif (!isset($_SESSION['username'])) {header("location:login.php");exit();}if (!isset($_SESSION['password'])) {header("location:login.php");exit();}if (!isset($_SESSION['id'])) {header("location:login.php");exit();}// from here you can use the local $ in your page$username = $_SESSION['username'];$password = $_SESSION['password'];$id = $_SESSION['id'];?>

the log in page login.php

<?phpif ($_POST['username']) {//Connect to the database through our includeinclude_once "connect_to_your_DB_HERE_mysql.php";$username = stripslashes($_POST['username']);$username = strip_tags($username);$username = mysql_real_escape_string($username);$password = ereg_replace("[^A-Za-z0-9]", "", $_POST['password']); // filter everything but numbers and letters// Make query and then register all database data that -// cannot be changed by member into SESSION variables.// Data that you want member to be able to change -// should never be set into a SESSION variable.$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");$login_check = mysql_num_rows($sql);if($login_check > 0){	 while($row = mysql_fetch_array($sql)){	    // Get member ID into a session variable  $id = $row["id"];  session_register('id'); 	    $_SESSION['id'] = $id;  	    // Get member username into a session variable	 $username = $row["username"];  session_register('username');  	    $_SESSION['username'] = $username;	    // Update last_log_date field for this member now  $password = $row["password"];  session_register('password');  $_SESSION['password'] = $password;    header("location: userindex.php");  exit();    } // close while} else {// Print login failure message to the user and link them back to your login page  echo '<br /><br /><font color="#FF0000">Wrong Username or Password, Please Try Again </font><br /><br />';}}// close if post?>	  <form name="form1" method="post" action="login.php" enctype="multipart/form-data" />	  		  <div align="left">		  <input name="username" type="text" id="username" size="30"/><br />		 		  <input name="password" type="password" id="password" size="30"/><br />		 		 <input name="Submit" type="submit" value="Login" />		 </div>	  </form>   

[cherri8]

try this...... at the top of every page after login userindex.php

<?phpsession_start(); // Must start session first thing if (!isset($_SESSION['username'])) {header("location:login.php");exit();}if (!isset($_SESSION['password'])) {header("location:login.php");exit();}if (!isset($_SESSION['id'])) {header("location:login.php");exit();}// from here you can use the local $ in your page$username = $_SESSION['username'];$password = $_SESSION['password'];$id = $_SESSION['id']; ?>

the log in page login.php

<?phpif ($_POST['username']) {//Connect to the database through our includeinclude_once "connect_to_your_DB_HERE_mysql.php";$username = stripslashes($_POST['username']);$username = strip_tags($username);$username = mysql_real_escape_string($username);$password = ereg_replace("[^A-Za-z0-9]", "", $_POST['password']); // filter everything but numbers and letters// Make query and then register all database data that -// cannot be changed by member into SESSION variables.// Data that you want member to be able to change -// should never be set into a SESSION variable.$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");$login_check = mysql_num_rows($sql);if($login_check > 0){ 	 while($row = mysql_fetch_array($sql)){		// Get member ID into a session variable  $id = $row["id"];  session_register('id');		$_SESSION['id'] = $id;  		// Get member username into a session variable	 $username = $row["username"];  session_register('username');  		$_SESSION['username'] = $username;		// Update last_log_date field for this member now  $password = $row["password"];  session_register('password');  $_SESSION['password'] = $password;    header("location: userindex.php");  exit();	} // close while} else {// Print login failure message to the user and link them back to your login page  echo '<br /><br /><font color="#FF0000">Wrong Username or Password, Please Try Again </font><br /><br />';}}// close if post?> 	  <form name="form1" method="post" action="login.php" enctype="multipart/form-data" />	  		  <div align="left">		  <input name="username" type="text" id="username" size="30"/><br />				  <input name="password" type="password" id="password" size="30"/><br />				 <input name="Submit" type="submit" value="Login" />		 </div>	  </form>  

Good stuff.at this link below they mention other important parts for sessions so im wondering if they were already apply in your codes? i cant find the part where the sessiom id is in cookie.i was going to use cookie before reading comments here because of problems i here about seesions like people's info are store in some public thing lol at the server which anyone can see and that a url can be made to delete users and passwords :0 http://stackoverflow.com/questions/4481250/php-session-security-for-website-login number 1 to 4 is what i got from the link "1.) Make sure your session is encrypted. If you are using PHP's built-in sessions, the associated entropy (randomness) is relatively high, so you should be fine.2.) ONLY store the session id in the cookie. Any other information should simply be associated on the server using that id. I've seen many cases where the system engineer determines if someone is admin if the token 'is_admin' = true in the session. You can obviously see the problem with this.Some will complain that its an expensive operation, but I recommend creating a (my)SQL table for active sessions. Then, when the page is loaded, pull the associated data from the table and deal with it just as you would any other data. Some frameworks (like CodeIgnitor) do this for you by changing one configuration item.3.) Validate against IP - in your table, add the current IP address. If the current IP doesn't match the one in the session, someone is probably trying to hijack. Force a logout and terminate.4.) Place limits on login attempts. Adding a 1 second sleep(); server side on each login is virtually unnoticeable to the user, but for an automated system, it makes it virtually impossible to brute force logins."