cookies

IndianaRogers

I am creating cookies with the setcookies() method as follows:

setcookie ('USERNAME', $username);
setcookie ('PASSWORD', $password);

When accessing the cookies on subsequent pages, the cookies do not always hold the expected values. For instance the PASSWORD cookie might hold the proper value but the USERNAME cookie would not have any value at all. I know that the $username and $password variables hold the proper values when the cookies are set. Any ideas? - thanks.

rubric

I don't have a solution for your problem yet, but I just wanted to tell you not to put anyone's password on a cookie. Avoid that any way possible.

Rubric

sgoku01

You are not reading the cookies out with the same scripts that sets them?? Because that can cause problems too..

Did you try to set an expire time?
e.g.

setcookie("Username", $username, time()+3600);

sgoku01

Originally posted by rubric
I don't have a solution for your problem yet, but I just wanted to tell you not to put anyone's password on a cookie. Avoid that any way possible.

Rubric

You can put them in a cookie if you encrypt them well 😉 (like md5)

ahundiak

sguk01,
Even is the password is encrypted, someone can still take the whole cookie and possibly use it to access the site.

sgoku01

Yeah, I know, but how do you want to get the cookie???
And how do you think this forum (and many others like phpBB, InvisionBoard, etc.) work??

rubric

Originally posted by sgoku01
Yeah, I know, but how do you want to get the cookie???
And how do you think this forum (and many others like phpBB, InvisionBoard, etc.) work??

When you log on, they varify if the password matches the username and then they place a cookie on your computer with session variables, ip, username, etc., but not the password. The cookie would have never been placed on the computer if the password wasn't correct in the first place. So, they have no need to place the password in the cookie because they know the cookie itself on that machine is enough ID to enter the site.

Rubric

sgoku01

The cookie would have never been placed on the computer if the password wasn't correct in the first place

😕 Why should IndianaRogers place the cookie, when the password is incorrect???

When you log on, they varify if the password matches the username and then they place a cookie on your computer with session variables, ip, username, etc., but not the password

eeuh, they don't trow the cookie with the password away...

If I could steal your cookie for, lets say, this forum, I would have 'rubric-access'. Simple as that.

rubric

Why should IndianaRogers place the cookie, when the password is incorrect???

I said the cookie shouldn't be used if the password is incorrect.

eeuh, they don't trow the cookie with the password away...
If I could steal your cookie for, lets say, this forum, I would have 'rubric-access'. Simple as that.

Then what is the point of the password if the cookie let's you in with or without it? Either way, and this is why cookies are sometimes bad, if someone stole it from your computer, whether is had the password on it or not, it will let you in. So explain to me again, what's the point of the password being on the cookie?

ahundiak

Maybe the board developer could chime in here.

Does phpbuilder even use cookies? I see the big s=whatever in the url which I assume is a session id? Periodically, the system requires me to reenter my password. If the password was in a cookie then I would assume it would just ask for the cookie.

I know I don't store passwords for the clients for my sites. Of course, I don't use cookies either but that's another issue.

IndianaRogers

Perhaps the better question is:

What are some alternative ways to authenticate users withoput using cookies?

sgoku01

I (and many other people) use cookies for automatically loggin into websites.
When I go to this site, I don't have to login, because there is a cookie on my computer from this forum.

But before the forum loads my data, it wants to know if the cookie is correct, so it's gonna check it.
This is the cookie from this forum:

bbuserid: 123456789
(blah...)
bbpassword: mypassword
(blah...)

When I enter the site, the forum looks searches into a database for my userid. When it founds it, it will select the password. Then he compares the two passwords (from the database and from the cookie) with eachother. When they are the same, you are logged in, else the cookie will be deleted.

Why they put the password in the cookie??
Well if the cookie is like this:

bbuserid: 123456789
(blah...)

Then I could easilly make a cookie with a random userid, and log in under every account I want!

sgoku01

Originally posted by IndianaRogers
Perhaps the better question is:

What are some alternative ways to authenticate users withoput using cookies?

Ask users every time when they visit the site to log themselfs in. Then make a unique session and attach that to the user. (you can find lots of scripts on the internet).