11 replies to this topic

[Matt L]

Okay, I'm trying to develop a login system. I can get the login through, but I can't get the cookies to stay.

login.php

<?php
ob_start();
session_start();
require("dbconnect.php");
if($_COOKIE['id'] === TRUE) {
	echo("Welcome back, ".$login['username']." - <a href='./?id=editprofile'>User CP</a> - ");
	echo("<a href='./?id=logout'>Log Out</a>");
	}
else {
	if($_POST['submit']) {
		$user = $_POST['user'];
		$pass = md5($_POST['pass']);
		$log = mysql_query("SELECT * FROM `users` WHERE `username` = '$user'") or die(mysql_error());
		$login = mysql_fetch_array($log);
		if($pass === $login['password']) {
			setcookie("id", $login['id'],time()+(60*60*24*7), "/", "");
			setcookie("pass", $login['password'],time()+(60*60*24*7), "/", "");
			echo ("<meta http-equiv='Refresh' content='2; URL=./' />
				   <img src='images/loading.gif' alt='loading' /> Thank You! You will be redirected to the homepage");
			}
		else {
			echo("Wrong username or password.");
			}
		}
	else { ?>
		<form method='POST'>
		  Username: <input type='text' name='user'>
		  Password: <input type='password' name='pass'>
		  <input type='submit' name='submit' value='Login'>
		  <a href='./?id=register'>Register Here</a>
		</form>
		<?php 
		}
	}
?>

Any help would be greatly appreciated.

[Friiks]

Try using

			setcookie("id", $login['id'],time()+(60*60*24*7));
			setcookie("pass", $login['password'],time()+(60*60*24*7));

instead of

			setcookie("id", $login['id'],time()+(60*60*24*7), "/", "");
			setcookie("pass", $login['password'],time()+(60*60*24*7), "/", "");

...well, atleast I always do it that way and it works for me.

Oh, another thing - check if cookies are set in your browser, if they are then that's not the cookie setting problem.

[.CJ]

Can I just say... it's not a good idea to store the password in a cookie, it's a bit of a security risk.

[Matt L]

Friiks, tried that, no luck.
And CMellor, followed a tutorial, I'm planning to secure it when I've got it to login.

[.CJ]

Ok, cool Just informing you. Try and encrypt it more than once...

[Friiks]

Um, thought so lol...

Well, can you log in? I mean does it echoes

   echo("Welcome back, ".$login['username']." - <a href='./?id=editprofile'>User CP</a> - ");
	echo("<a href='./?id=logout'>Log Out</a>");

that part?

And if you're sure if the cookie is set then try using

if(isset($_COOKIE['id'])){}

instead of

if($_COOKIE['id'] === TRUE){}

Edit:
I tried your code and it didn't work right (I saw what u mean) but if you use

if(isset($_COOKIE['id'])){}

it'll work!

Hope that helps, Matt.

Edited by Friiks, 14 August 2007 - 10:48 AM.

[Matt L]

It works, but signs out whenever you change the page, and it doesn't echo the username.

[Friiks]

You should learn about sessions.

<?php
ob_start();
session_start();
require("dbconnect.php");
if($_COOKIE['id'] === TRUE) {
	echo("Welcome back, ".$_SESSION['username']." - <a href='./?id=editprofile'>User CP</a> - ");
	echo("<a href='./?id=logout'>Log Out</a>");
	}
else {
	if($_POST['submit']) {
		$user = $_POST['user'];
		$pass = md5($_POST['pass']);
		$log = mysql_query("SELECT * FROM `users` WHERE `username` = '$user'") or die(mysql_error());
		$login = mysql_fetch_array($log);
		if($pass === $login['password']) {

			setcookie("id", $login['id'],time()+(60*60*24*7), "/", "");
			setcookie("pass", $login['password'],time()+(60*60*24*7), "/", "");
			
			//set $_SESSION['username'];
			$_SESSION['username'] = $login['username'];

			echo ("<meta http-equiv='Refresh' content='2; URL=./' />
				   <img src='images/loading.gif' alt='loading' /> Thank You! You will be redirected to the homepage");
			}
		else {
			echo("Wrong username or password.");
			}
		}
	else { ?>
		<form method='POST'>
		  Username: <input type='text' name='user'>
		  Password: <input type='password' name='pass'>
		  <input type='submit' name='submit' value='Login'>
		  <a href='./?id=register'>Register Here</a>
		</form>
		<?php
		}
	}
?>

and to keep you logged in put PHP: session_start() at the top of every page

[Matt L]

Tried that. No luck. Anyone else got any help?

[Demonslay]

To further help you, you'll have to give some more specifics. Some php.ini settings affect the way sessions are handled.
Check your browser and make sure the cookie is being set correctly. If it is, and you aren't able to read it again when retrieving it with PHP, then you need to make sure the cookie's domain is correct; usually '/' (root path) works just fine in about any case.

Try simple debugging methods. Use var_dump() on your $_SESSION and $_COOKIE superglobal arrays.

Login systems are quite a common thing to find tutorials on. If the one you are using isn't working, and you cannot figure it out on your own, simply try another one. Theres thousands of tutorials on the exact same system out there.

[Ziggy]

what browser are you using?

[Demonslay]

Also, I just noticed something in Friik's code that may be why it is not logging him in if he used it.
At the top, the cookie 'id' is compared to the boolean TRUE with equivalence, or that is to say in 'strict mode', so it will only ring true if the cookie 'id' is exactly the boolean of TRUE.
The problem is, then, later in the script, when a successful access has been granted, the cookie 'id' is stored as an integer of the user's ID. This of course will not return as the boolean TRUE in an equivalence test, as explained above.

The solution, use a normal comparsion (==) instead of equivalence (===).

Also, if you are still having troubles, check out the open source PHPBB3, and the way they use the function append_sid() to append a session variable to any URL if the SID cookie was not successfully set and/or retrieved. There are times where cookies just won't work for one reason or another, and is something I've run into myself. for example, on my localhost, I have virtual hosts set to Apache, and on one domain, cookies work just fine with logging in and such, whereas on a different domain, they don't. I myself haven't been able to work it out, but by following PHPBB's example and borrowing their append_sid() function, I've had no problems. This is actually a brilliant idea, since it will also degrade for those who's browsers can't/won't allow cookies.