Cookies and Login System

Radon3k

I've developed a login system which works just fine. However I would now like to add cookies into it. This is the basic layout of the login system:

Login page:
- Login. If it's accpeted, move to the next area, if not, enter correct user name and password. If accepted, cookie is set.

--Member's Area:
--- If login from login page was correct and cookie is set, show content, if not, redirect to login page.

That is the basic layout of how I would like it to work. However I need someone to point me in the right direction. I would like to learn more about cookies and how you set them and get them to work as well as how to create the above. I'm not looking for someone to write the code for me, just point me in the right direction.

Thanks! 🙂

batman

I know there has been some rumors of how "unsafe" sessions are, but I would still point you in that direction.

Anyways....Take a look at this. It deals with all sessions and cookies.

Radon3k

Don't sessions expire when you leave the site? The whole point of using cookies is so that users don't have to keep logging in.

batman

Not when you leave the site, but when you close the browser down it does. If you want to use cookies, then look at this.

Radon3k

That seems easy enough. The next question is, do you just set the user name and password as variables for the cookie? If so, then how do you get a page to check to see if a cookie has been set?

juschillinnow

if(!isset($HTTP_COOKIE_VARS["user"])
{
setcookie("user[]", $user);
setcookie("user[]", $pass);
}

Radon3k

Originally posted by juschillinnow
if(!isset($HTTP_COOKIE_VARS["user"])
{
setcookie("user[]", $user);
setcookie("user[]", $pass);
}

Thanks for that. But why did you make user an array if there's no variables inside it?

juschillinnow

because by making it an array, it will build it's own self with the values of $user and $pass.

This will keep you from having to check a new cookie every time.

for example:

if(!isset($HTTP_COOKIE_VARS["user"]))
{
setcookie.....
}
if(!isset($HTTP_COOKIE_VARS["pass"]))
{
setcookie.....
}

it allows you to just check one cookie. and then referencing them is as easy as putting a [0], [1] at the end:

echo $HTTP_COOKIE_VARS["user"][0];
will return the value of $user and
echo $HTTP_COOKIE_VARS["user"][1];
will return the value or $pass

Radon3k

Thanks for that. I appreciate it. Now my login script doesn't work with cookies. Here's the code from login.php:

<?php setcookie("user[]", $uname);
setcookie("user[]", $passwd);
?>

    <?php
  if(empty($_POST['uname']) OR empty($_POST['passwd'])) {
  	?>
    <form name="memberlogin" id="memloginform" method="post" action="/ilog/members/index.php">
      <p align="center"><font color="#696969" size="-1" face="Tahoma">User 
        name:</font> 
        <input type="text" name="uname" class="txtfield" />
      </p>
      <p align="center"><font color="#696969" size="-1">Password:</font>&nbsp;&nbsp; 
        <input type="password" name="passwd" class="txtfield" />
      </p>
      <p align="center">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
        <input type="submit" name="submit" value="Login" class="btnsubmit" />
      </p>
    </form>
    <?php
  }
  if($_POST['submit']) {

  $login = mysql_query("SELECT * FROM members WHERE `username` = '{$_POST['$uname']}' AND `password` = '" .md5($_POST['passwd'])."'");
  $num = mysql_num_rows($login);
  if($num > 0) {
  	?>
    <form name="memberlogin" id="memloginform" method="post" action="/ilog/members/members.php">
      <p align="center"><font color="#696969" size="-1" face="Tahoma">User 
        name:</font> 
        <input type="text" name="uname" class="txtfield" />
      </p>
      <p align="center"><font color="#696969" size="-1">Password:</font>&nbsp;&nbsp; 
        <input type="password" name="passwd" class="txtfield" />
      </p>
      <p align="center">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
        <input type="submit" name="submit" value="Login" class="btnsubmit" />
      </p>
    </form>
    <div align="center"><font color="#696969" size="-1" face="Tahoma"><b>Invalid 
      user name and/or password. Please try again.</b></font> 
      <?php
  } else {
  ?>
      <strong><font color="#696969" size="-1" face="Tahoma">Welcome, <?php echo($uname) ?>!</font></strong> 
      <?php
  }
  }
  ?>

Now that works just fine. The problem is the page it redirects you to. If I add this to the top it doesn't work, but if I leave it out, it works fine.

// This is the top of the member's page.
if(empty($HTTP_COOKIE_VARS["user"])) {
header("Location: /index.php");
}

With that in place it has me keep going back to the login page. What can I do to fix this? Thanks. 🙂

juschillinnow

it's probably because of this line:

setcookie("user[]", $uname); 
setcookie("user[]", $passwd);

this needs to be in a conditional statment.

Here's what you are doing:

you are checking to see if cookie user is set. If it's not you are setting it and redirecting to the page at the top. problem is becaue the code at the top is not conditional, it resets the cookie. but because $uname and $passwd is not passed, it now becomes null. In which case, you are setting your cookie to have an empy value making NOT SET.

so the script sends you right back around to do the same thing again.

Should be like:

if(empty($HTTP_COOKIE_VARS["user"])) {
setcookie("user[]", $uname); 
setcookie("user[]", $passwd); 
header("Location: /index.php"); 
}

and erase the:

setcookie("user[]", $uname);
setcookie("user[]", $passwd);

at the top:

Now what you are doing is checking to see if the cookie is set, if not then you assign a cookie and redirect the page. When it reloads the cookie is now set and does not need to be set again and thus, it should work.

Radon3k

I understand. That makes sense, thanks! I do have one question though. If, on the member's page, a cookie is not set yet, why would you want to set the cookie and then redirect them? Wouldn't you want to just redirect them and then have it set the cookie? Or will it matter because the cookie will be set, it just needs information passed to it? Thanks.

juschillinnow

once again, the problem is.... if you redirect to a page that sets the cookie....the next time that page loads (someone clicks on a link, clicks refresh) the cookie will try setting itself again. If the values do not get passed (which they won't if someone clicks refresh) the cookie will get a null value, defeating what you are trying to accomplish in the first place.

########### index.php ##########

<?
if($login == "Login")
{
include("dbconnect.php");
$query = "select * from users where uid = '$user' and up = '$pass'";
$result = mysql_query($query, $mysql_link);
if(mysql_affected_rows() != 0)
{
setcookie("user[]", $user);
setcookie("user[]", $pass);
Header('Location: $PHP_SELF?login=0');
}
else
{
Header('Location: $PHP_SELF?error=no%20good&login=0');
}

}
if(!isset($HTTPS_COOKIE_VARS["user"]))
{
echo $error."<br>";
?>
<form action="<?$PHP_SELF?>" method=post>
user: <input type=text name=user><br>
pass: <input type=text name=pass><br>
<input type=submit name=login value=Login>
</form>
<?
}
else
{
echo "Welcome";
}
?>

here's a very primitive example. Make sure you make the mysql_query to match what you use.

Radon3k

Ok I think I'm trying to make more out of this than what I should be. In fact, I think I've confused myself to the point of not even knowing what I'm doing right or wrong. :o

What I'm trying to accomplsih is this:
A user goes to the site and they go to the login.php page. They enter their user name and password and hit "login". If the user name and password is correct then a cookie is set and they are redirected to the members page.

If a user goes to that page and they are already logged in (because of that cookie) then they are redirected to the member's page without having to login again.

The login page is at /ilog/login.php.

Now the member's area is located at /ilog/members/. On all of the pages there I want it to check to see if they are logged in, if they are, show them the content, if not then redirect them to /ilog/login.php.

This is my new login.php:

        <?php
	  if(empty($_POST['uname']) OR empty($_POST['passwd'])) {
	  	?>
        <form name="memberlogin" id="memloginform" method="post" action="/ilog/members/index.php">
          <p align="center"><font color="#696969" size="-1" face="Tahoma">User 
            name:</font> 
            <input type="text" name="uname" class="txtfield" />
          </p>
          <p align="center"><font color="#696969" size="-1">Password:</font>&nbsp;&nbsp; 
            <input type="password" name="passwd" class="txtfield" />
          </p>
          <p align="center">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
            <input type="submit" name="submit" value="Login" class="btnsubmit" />
          </p>
        </form>
        <?php
	  }
	  if($_POST['submit']) {
	  $login = mysql_query("SELECT * FROM members WHERE `username` = '{$_POST['$uname']}' AND `password` = '" .md5($_POST['passwd'])."'");
	  $num = mysql_num_rows($login);
	  if($num > 0) {
	  setcookie("user[]", $uname);
	  setcookie("user[]", $passwd);
	  header("Location: /ilog/members/index.php");
	  	?>
        <form name="memberlogin" id="memloginform" method="post" action="/ilog/members/index.php">
          <p align="center"><font color="#696969" size="-1" face="Tahoma">User 
            name:</font> 
            <input type="text" name="uname" class="txtfield" />
          </p>
          <p align="center"><font color="#696969" size="-1">Password:</font>&nbsp;&nbsp; 
            <input type="password" name="passwd" class="txtfield" />
          </p>
          <p align="center">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
            <input type="submit" name="submit" value="Login" class="btnsubmit" />
          </p>
        </form>
        <div align="center"><font color="#696969" size="-1" face="Tahoma"><b>Invalid 
          user name and/or password. Please try again.</b></font> 
          <?php
	  }
	  }
	  ?>

I realize that the header function won't work, but it redirects me anwyay because of the action. There is nothing in the /ilog/members/index.php currently that checks to see if they are logged in, so right now everyone can view the content. Am I making too much out of this? I do appreciate the help, however. 🙂

juschillinnow

no, not at all. This is a very common practice.

here, I'll demonstate this with a flat db.

######### index.php ##########

<?
include("login.php");
if(!isset($HTTPS_COOKIE_VARS["logged"]))
{
if(!isset($status))
{
$status = "No";
}
echo "Welcome To My Site.<br>";
if($status == "No")
{
?>
<form action="<?$PHP_SELF?>" method=post>
User: <input type=text name=user>
Pass: <input type=text name=pass>
<input type=submit name=submit value=Login>
</form>
<?
}
}
else
{
echo "You are already logged in";
}
?>

####### end index.php #########

########## login.php #########

if($submit == "Login")
{
$file = "data.db";
$check = "$user $pass";
$db = file($file);
for($i=0; $i<count($db); $i++)
{
if($db[$i] == $check)
{
$status = "Yes";
setcookie("logged[]", $user);
setcookie("logged[]", $pass);
} 
}
}

######## end login.php ########

######### data.db ###########

noodle head

####### end data.db ##########

once again. Here is a primitive example and should not be used. but if you make the appropriate files and run those in the same directory, you should be able to see what you need to accomplish.

haven't tested it, but I think it should work

Radon3k

Well I think I'm slowly but surely getting there. However, I can't include login.php because it has HTML and such in it, and I received an error when I tried to include it. I believe that the login.php file is fine now, but it's the /ilog/members/index.php file that is not. Here is the relevant code, and you'll see that a problem that exists is the header function. That won't work because the headers were already sent out. Is there a way to get around this?

<?php
if(!isset($HTTP_COOKIE_VARS["user"])) {
if(!isset($status)) {
$status = 0;
}

// HTML and content is below

  if($status == 0) {
  header("Location: /ilog/login.php");
  }
  }
  ?>

I realize that I'm changing your code around, however I'm trying to adjust it to fit my site. Thank you very much for the help you've been providing, I am learning from this. 🙂

juschillinnow

ok. Then do this.

Don't use headers.

Instead....do this in the order shown in your page:

1) if form is submitted and user and pass match, set cookie, otherwise send back or show the login form again.

2) check to see if cookie is set

3) if it is not then show login form

4) if it is then go on to the next thing.

Because php reads code from top to bottom, utilize this to work for you.

Tell me if that makes sense.

Radon3k

I don't get it. I didn't touch any of the stuff that Dreamweaver put in there by default and it's now throwing XML errors at me. I'm getting very frustrated with all of this.

Radon3k

I still can't get it to work properly. I've tried a ton of different combinations and nothing is working. I don't know what else to do. 🙁

Radon3k

I've narrowed the problem down to it's not setting the cookies properly. Everytime I type my user name and password in it just keeps having me go back to the login.php page. Any suggestions?

benkillin

I didnt bother reading the rest of the thred, but try this (not code)

have the login page...

in the validation page, check the values in the mysql db, and if the user is indeed a registered user, define the $_POST var like:

$username = $_POST['username'];

then set the cookie:

setcookie("is_logged_in_cookie", $username, time()+606024);

that will make a cookie named "is_logged_in_cookie" with the username inside it, and it will expire in a day. you also may want to set the domain name in the function too, so it will be harder for malicious users to forge the cookie.

Now, on a page that checks to make sure the user has the cookie, do this:

if(isset($_COOKIE['is_logged_in_cookie'])){

that will make sure the cookie is set, then right after that, define the user name:

$usrname = $_COOKIE['is_logged_in_cookie'];

and then do a mysql query to make sure that name is in the database using the $usrname var. and if the name is not in the database, set the cookie to be expired and a null value just in case the user tried to forge the cookie, and give an error. if the user is in the database, serve the page content you wanted to give to the logged in user.

Hope this helped.