Problems with cookies

jimothy

I've recently been trying to run a script on my site, but it seems that my cookie vaules aren't being stored properly. I'm running apache 2, and php 4.2.1 (http://www.jimothy.net/info.php for all my settings).

I'll post the code from some of the files so you can get an idea of what's going on. This is where the cookies are declared (I think):

// Start Code

// Use Sessions
// NOTE: This will store the username and password entered by the user to the cookie
// variables USERNAME and PASSWORD respectively even if the combination is correct or
// not. Be sure to authenticate every page that you want to be secured and pass as 
// parameters the variables USERNAME and PASSWORD.
setcookie ("USERNAME", $username);
setcookie ("PASSWORD", $password);

include ("auth.php"); 

$Auth = new auth();
$detail = $Auth->authenticate($username, $password);

if ($detail==0)
{
	include ($failure);
}
elseif ($detail == 1) {
	include ($admin);
}
else 
{
	include ($success);
}

I can login fine, my username and password are accepted by the database, and I can get to the admin screen ($detail == 1) thingy. But then there is a user\groups control panel that I am trying to access, and when I try to get to it, I get the "illegal access" message. Now I think the user\groups access panel is protected by a file called check.php (because If I remove the "include ("../check.php");" line, I have no problems - so here is the check.php source.

<?
// DEBUG
// echo $USERNAME;
// echo "\n";
// echo $PASSWORD;

$CheckSecurity = new auth();
$check = $CheckSecurity->page_check($USERNAME, $PASSWORD);
if ($check == false)
{
	// Feel free to change the error message below. Just make sure you put a "\" before
	// any double quote.
	print "<font face=\"Arial, Helvetica, sans-serif\" size=\"5\" color=\"#FF0000\">";
	print "<b>Illegal Access</b>";
	print "</font><br>";
	print "<font face=\"Verdana, Arial, Helvetica, sans-serif\" size=\"2\" color=\"#000000\">";
	print "<b>You do not have permission to view this page.</b></font>";


	exit; // End program execution. This will disable continuation of processing the rest of the page.
}

If the first couple lines are uncommented (Debug), then it puts my password in front of the Illegal Access text, but not my username. I'm really stumped here, this script has run on other sites, so maybe it's my php.ini\apache settings? Thanks for the help.

jimothy

this may be relevant source from the auth.php file.

<?php

class auth{
// CHANGE THESE VALUES TO REFLECT YOUR SERVER'S SETTINGS
var $HOST = "localhost"; // DB HOST
var $USERNAME = "root"; // USERNAME
var $PASSWORD = "kitty"; // USER PASSWORD
var $DBNAME = "vsignup"; // DB NAME

// AUTHENTICATE
function authenticate($username, $password) {
	$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd='$password' AND status <> 'inactive'";
	$UpdateRecords = "UPDATE authuser SET lastlogin = NOW(), logincount = logincount + 1 WHERE uname='$username'";
	$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

	// OLD CODE - DO NOT REMOVE
	// $result = mysql_db_query($this->DBNAME, $query);

	// REVISED CODE
	$SelectedDB = mysql_select_db($this->DBNAME);
	$result = mysql_query($query); 

	$numrows = mysql_num_rows($result);
	$row = mysql_fetch_array($result);

	// CHECK IF THERE ARE RESULTS
	// Logic: If the number of rows of the resulting recordset is 0, that means that no
	// match was found. Meaning, wrong username-password combination.
	if ($numrows == 0) {
		return false;
	}
	elseif ($row["level"]==1) {  // ADMIN LOGIN
		$Update = mysql_query($UpdateRecords);
		return 1;
	}
	else {
		$Update = mysql_query($UpdateRecords);
		return $row;
	}
} // End: function authenticate

// PAGE CHECK
// This function is the one used for every page that is to be secured. This is not the same one
// used in the initial login screen
function page_check($username, $password) {
	$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd='$password' AND status <> 'inactive'";
	$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

	// OLD CODE - DO NOT REMOVE
	// $result = mysql_db_query($this->DBNAME, $query);

	// REVISED CODE
	$SelectedDB = mysql_select_db($this->DBNAME);
	$result = mysql_query($query); 

	$numrows = mysql_num_rows($result);
	$row = mysql_fetch_array($result);

	// CHECK IF THERE ARE RESULTS
	// Logic: If the number of rows of the resulting recordset is 0, that means that no
	// match was found. Meaning, wrong username-password combination.
	if ($numrows == 0) {
		return false;
	}
	else {
		return $row;
	}
} // End: function page_check