Help me with my first ever cookie....

richblend

Hiya. i need to set a cookie to hold someones username and password for my site. in my PHP book thats been teaching me everything i need to know, it shows how to set a cookie using setcookie(), but in the example it only sets one name/value pair ("vegetable=artichoke", if you'd like to know). Can i set more variables? I'd liek to hold 2, ("username=billybob, password=34hgyt").

How do i do it?

Cheers.

Wok

You could have the cookie hold the value "billybob:34hgyt", and then explode(); the string into an array. Or, you could just set two individual cookies.

I don't have much experience with cookies, however, so I don't know if you can get one cookie to hold more than one value.

superwormy

The only way you can get a cookie to hold more than one value is to serialize() an array of values or something, and unserialize() it later. Otherwise, set two cookies.

Oh... and you realize that storing a username and a password in a cookie is probably the most INSECURE thing you could ever possibly do besides just posting your username and password on the internet for everyone to see... right?

richblend

well you see thats what i thought, but then i was looking in a cookie on my hard drive set by a big professional site, and that contained my username and password; pretty sure so it could do the whole "remember my password on this pc". how else would i do it?

superwormy

If I jumped off a bridge and told you you should too... would you jump with me and plummet to your death? Just because some other moron doesn't know what he's doing doesnt mean you should too!

Save a unique random generated ID in the cookie, and have that correspond to your record in the database. If the unique ID is present when you visit their page, check to see if it matches something in the database, and use that records password.

What website did this out of curiosity?

richblend

I jumped off a bridge once.

The site is called www.lookitsme.co.uk

An english version of faceparty.com

I just double checked, and sure enough, in the cookie is says

password (square thing) (my password)

superwormy

Holy shit man... you arn't kidding... plain text passwords in cookies, stupid jerks, I'm gonna email them.

Wok

Just out of interest, assuming a site did leave usernames and passwords in cookies, how would that be a security risk?

Surely if somebody was trying to edit their cookies to crack the site, they'd still need a valid user/pass combination to gain access to somebody's account.

What am I missing here?

superwormy

You go and use a public computer to login to site. It stores cookie on that computer with your password.

You leave.

The next guy comes along, knows what he's doing and looks at the cookies on the computer. Now he knows your username and password. :-)

How many ofyou guys use the same username / password for onlien credit card accounts / Paypal / email / forums / bank account login as you do for everything else? So now he can use your paypal, credit cards, find you SS# by getting acount #s, check your email...

Wok

Okay, good point 😉

superwormy

UPDATE, THE DUDE FROM THAT WEBSITE EMAILED ME BACK, HERES HIS RESPONSE:

Hi Keith,
Thank you for your email, we do know about this risk, and it has only been like this for 3 days as we are moving servers. By next week there will be no cookies on our site at all. As we will be using Sessions instead of Cookies.

Please can you Update the Board Below and imform them of my actions as i've tryed to join but it wont let me post a reply.

Also if your using a puplic PC - I would 100% say the user would not click on Save Password and if this is not selected no login info is saved. Also you get auto logged out after 20mins also.

Thanks
Sean Milne
LIM Webmaster

Kudos for him being so prompt about it and fixing the problem. I assume by his message he'll be just propagating the session through cookies or through the URL like I mentioned how to do above...

seanyboy

Hiya people - Its Sean - LIM Webmaster - We are moving servers at the moment to our NEW DATACENTER - So we are running the site of its backup......

From next week there will BE NO COOKIES on lookitsme - it will all be done by sessions.

Thank you for your input.

And if any of you guys want to join please feel free and i will upgrade you for FREE with Platinum & Video Upgrades - Just email saying PHP Boards and your LIM Nicknames

Cheers
Sean Milne
LIM Webmaster