cookies not passing/saving

[deleted]

I have a login script that validates a user and sets cookies. The login works fine. The problem is that the cookie does not seem to be saving. I don't see the cookie with my other cookies and when I use print_r($_COOKIE) it results in Array ()

Here's the login script

//A file with the database host,user,password, and selected database
	require_once ('db.inc');

//A string used for md5 encryption.
$supersecret_hash_padding = 'a string that is used to pad out short strings for md5 encryption.';

$LOGGED_IN = false;

unset($LOGGED_IN);

/**
* Checks to see if the user is logged in
*
* @param 	integer $LOGGED_IN
* @email	string	$email e-mail address entered at login
*/

function user_isLoggedIn(){
	//This function will only work with superglobal arrays, because
	//I'm not passing in any values or declaring globals
	global $supersecret_hash_padding, $LOGGED_IN;

	//Have we already run the hash checks?
	//If so, return the pre-set var
	if (isSet($LOGGED_IN)){
		return $LOGGED_IN;
	}
	if ($_COOKIE['email'] && $_COOKIE['id_hash']){
		$hash = md5($_COOKIE['email'].$supersecret_hash_padding);
		if ($hash == $_COOKIE['id_hash']){
			return true;
		}else{
			return false;

		}
	}else{
		return false;
	}
}
function user_login(){
	//This function will only work with superglobal arrays, because
	//I'm not passing in any values or declaring glbals
	dbConnect('crc1');
	if (!$_POST['email'] || !$_POST['password']){
		$feedback = 'ERROR- Missing e-mail address or password';
		return $feedback;
	}else{
		$email = strtolower($_POST['email']);
		//Don't need to trim because extra spaces should fail for this
		//Don't need to addslashes because single quotes aren't allowed
		$password = strtolower($_POST['password']);
		//Don't need to addslashes because we'll be hashing it
		$crypt_pwd = md5($password);
		$qValidate = "SELECT firstname,lastname,status_id
					 FROM tblusers
					 WHERE emailaddress = '$email'
					 AND password = '$crypt_pwd'";
		$result = mysql_query($qValidate);
		if($result >0){
			while($row=mysql_fetch_array($result)){
				$firstname = $row['firstname'];
				$lastname = $row['lastname'];
				$space = '&nbsp;';
				$fullname = $firstname.$space.$lastname;
		if (!$result || mysql_num_rows($result) < 1){
			$feedback = 'ERROR- User not found or password incorrect';
			return $feedback;
		}else{
			if (mysql_result($result,0,'status_id') =='1'){
				user_set_tokens($email);
				return 1;
			}else{
				$feedback = 'ERROR- You may not have confirmed your account yet';
				return $feedback;
			}
		}
	}
}
}
}
function user_logout(){
	setcookie('email','',(time()+2592000),'/','',0);
	setcookie('id_hash','',(time()+2592000),'/','',0);

}

function user_set_tokens($email_in){
	global $supersecret_hash_padding;
	if (!$email_in){
		$feedback = 'No username';
		return false;
	}
	$email = strtolower($email_in);
	$id_hash = md5($email.$supersecret_hash_padding);

setcookie('email',$email,(time()+2592000),'/','localhost');
setcookie('id_hash',$id_hash,(time()+2592000),'/','localhost');

}
?>

On the next page I call the cookie email using $email = $_COOKIE['email'], but I keep getting undefined index: email.

Any thoughts on how I can get this to work? Thanks.

HalfaBee

Where are you calling the function to set the cookie?
Also you have these lines at the start.

$LOGGED_IN = false; 
unset($LOGGED_IN);

won't this always make it appear that they are not logged in?

Halfabee

[deleted]

I have another script called login.php

require_once ('includes/login_func.inc');

// Checks to see if user is logged in.	
if ($LOGGED_IN = user_isLoggedIn()){
	user_logout();
	$_COOKIE['email'] = '';


	//If they are logged in, log them out
	unset ($LOGGED_IN);
	}


	//Checks to see if the form has already been submitted and checks
	if ($_POST['submit'] == 'Login'){
		if (strlen($_POST['email']) <=25 && strlen($_POST['password'])<=25){
		$feedback = user_login();
		}else{
		$feedback = 'Username and password are too long';
		}
		if ($feedback == 1){
		// On successful login redirect
				header ("Location: [url]http://localhost/debug/debug.php[/url]");
		}else{
		$feedback_str = "<p class=\"errormess\">$feedback</p>";
		}
	}else{
		$feedback_str = '';
	}


//-----------------
// DISPLAY THE FORM
//-----------------

// Superglobals don't work with heredoc
$php_self = $_SERVER['PHP_SELF'];

$login_form = <<< EOLOGINFORM
<table cellpadding=0 cellspacing=0 border=0 align=center width=621>
	<tr>
		<td rowspan=2><img width=14 height=1 src=images/spacer_wh.gif></td>
		<td width=606 height=1><img width=606 height=1 src=images/spacer_wh.gif></td>
	</tr>
	<tr>
		<td>
			$feedback_str
			<p class="bold">LOGIN</p>
			<form action="$php_self" method="post">
			<p class="bold">E-mail Address<br/>
			<input type="text" name="email" value="" size="10" maxlength="15"></p>
			<p class="bold">Password<br/>
			<input type="password" name="password" balue="" size="10" maxlength="15"></p>
			<p><input type="submit" name="submit" value="Login"></p>
</form>
		</td>
	</tr>
</table>
EOLOGINFORM;

echo $login_form;

HalfaBee

When you do this require_once ('includes/login_func.inc');
it will automatically log them out due to these lines in the included script

$LOGGED_IN = false;
unset($LOGGED_IN);

The problem lies in this section, I have changed it and it should work.
HalfaBee

function user_login(){
    //This function will only work with superglobal arrays, because
    //I'm not passing in any values or declaring glbals
    dbConnect('crc1');
    if (!$_POST['email'] || !$_POST['password']){
        $feedback = 'ERROR- Missing e-mail address or password';
        return $feedback;
    }else{
        $email = strtolower($_POST['email']);
        //Don't need to trim because extra spaces should fail for this
        //Don't need to addslashes because single quotes aren't allowed
        $password = strtolower($_POST['password']);
        //Don't need to addslashes because we'll be hashing it
        $crypt_pwd = md5($password);
        $qValidate = "SELECT firstname,lastname,status_id
                     FROM tblusers
                     WHERE emailaddress = '$email'
                     AND password = '$crypt_pwd'";
        $result = mysql_query($qValidate);
        if($result >0){
            while($row=mysql_fetch_array($result)){
                $firstname = $row['firstname'];
                $lastname = $row['lastname'];
                $space = '&nbsp;';
                $fullname = $firstname.$space.$lastname;

            if (!$result || mysql_num_rows($result) < 1){
                $feedback = 'ERROR- User not found or password incorrect';
                return $feedback;
            }else{
                if ( $row['status_id']=='1'){
                    user_set_tokens($email);
                    return 1;
                }else{
                    $feedback = 'ERROR- You may not have confirmed your account yet';
                    return $feedback;
                }
            }
        } // end while
    } // endif
}
}

[deleted]

I'm still having the same error. WHen I use print_r($_COOKIE) it still displays Array ().

HalfaBee

This is not good code

if($result >0){

should be if( $result!==FALSE )

Try removing the path and domain from the setcookie().

HalfaBee

[deleted]

I made both changes with the same result.

HalfaBee

Is it actually getting to the setcookie() section?

Put a few debug statements in.

HalfaBee

This line was wrong too.

setcookie('email',$email_in,(time()+2592000));

[deleted]

I'm still new at this and I don't what debug statements to enter. DO you have any suggestions?

HalfaBee

put an echo "setcookie $email_in" near the setcookie().
This will see if it is being called.

[deleted]

All I got was setcookie then blank

I changed your code to echo "setcookie '.$email_in.'"; but that only outputed setcookie '..'

HalfaBee

That means you are not passing the email addr to the function.
The cookie for email will not set because it has no value.

HalfaBee

Post your code again and lets see what it is doing.

[deleted]

Here it is:

login_func.inc

	//A file with the database host,user,password, and selected database
	require_once ('db_vars.inc');

//A string used for md5 encryption.
$supersecret_hash_padding = 'a string that is used to pad out short strings for md5 encryption.';

$LOGGED_IN = false;

unset($LOGGED_IN);

/**
* Checks to see if the user is logged in
*
* @param 	integer $LOGGED_IN
* @email	string	$email e-mail address entered at login
*/

function user_isLoggedIn(){
	//This function will only work with superglobal arrays, because
	//I'm not passing in any values or declaring globals
	global $supersecret_hash_padding, $LOGGED_IN;

	//Have we already run the hash checks?
	//If so, return the pre-set var
	if (isSet($LOGGED_IN)){
		return $LOGGED_IN;
	}
	if ($_COOKIE['email'] && $_COOKIE['id_hash']){
		$hash = md5($_COOKIE['email'].$supersecret_hash_padding);
		if ($hash == $_COOKIE['id_hash']){
			return true;
		}else{
			return false;

		}
	}else{
		return false;
	}
}
function user_login(){ 
    //This function will only work with superglobal arrays, because 
    //I'm not passing in any values or declaring glbals 
    dbConnect('crc1'); 
    if (!$_POST['email'] || !$_POST['password']){ 
        $feedback = 'ERROR- Missing e-mail address or password'; 
        return $feedback; 
    }else{ 
        $email = strtolower($_POST['email']); 

    //Don't need to trim because extra spaces should fail for this 
    //Don't need to addslashes because single quotes aren't allowed 
    $password = strtolower($_POST['password']); 
    //Don't need to addslashes because we'll be hashing it 
    $crypt_pwd = md5($password); 
    $qValidate = "SELECT firstname,lastname,status_id 
                 FROM tblusers 
                 WHERE emailaddress = '$email' 
                 AND password = '$crypt_pwd'"; 
	echo $qValidate;
    $result = mysql_query($qValidate); 
    if($result!==False){ 
        while($row=mysql_fetch_array($result)){ 
            $firstname = $row['firstname']; 
            $lastname = $row['lastname']; 
            $space = '&nbsp;'; 
            $fullname = $firstname.$space.$lastname; 

            if (!$result || mysql_num_rows($result) < 1){ 
                $feedback = 'ERROR- User not found or password incorrect'; 
                return $feedback; 
            }else{ 
                if ( $row['status_id']=='1'){ 
                    user_set_tokens($email); 
                    return 1; 
                }else{ 
                    $feedback = 'ERROR- You may not have confirmed your account yet'; 
                    return $feedback; 
                } 
            } 
        } // end while 
    } // endif 
} 
}

function user_logout(){
	setcookie('email','',(time()+2592000));
	setcookie('id_hash','',(time()+2592000));

}

function user_set_tokens($email_in){
	global $supersecret_hash_padding;
	if (!$email_in){
		$feedback = 'No username';
		return false;
	}
	$email = strtolower($email_in);
	$id_hash = md5($email.$supersecret_hash_padding);

setcookie('email',$email,(time()+2592000));
setcookie('id_hash',$id_hash,(time()+2592000));

}
echo "setcookie '.$email_in.'";
?>

require_once ('includes/login_func.inc');

// Checks to see if user is logged in.	
if ($LOGGED_IN = user_isLoggedIn()){
	user_logout();
	$_COOKIE['email'] = '';


	//If they are logged in, log them out
	unset ($LOGGED_IN);
	}


	//Checks to see if the form has already been submitted and checks
	if ($_POST['submit'] == 'Login'){
		if (strlen($_POST['email']) <=25 && strlen($_POST['password'])<=25){
		$feedback = user_login();
		}else{
		$feedback = 'Username and password are too long';
		}
		if ($feedback == 1){
		// On successful login redirect
				header ("Location: [url]http://localhost/debug/debug.php[/url]");
		}else{
		$feedback_str = "<p class=\"errormess\">$feedback</p>";
		}
	}else{
		$feedback_str = '';
	}


//-----------------
// DISPLAY THE FORM
//-----------------

// Superglobals don't work with heredoc
$php_self = $_SERVER['PHP_SELF'];

$login_form = <<< EOLOGINFORM
<table cellpadding=0 cellspacing=0 border=0 align=center width=621>
	<tr>
		<td rowspan=2><img width=14 height=1 src=images/spacer_wh.gif></td>
		<td width=606 height=1><img width=606 height=1 src=images/spacer_wh.gif></td>
	</tr>
	<tr>
		<td>
			$feedback_str
			<p class="bold">LOGIN</p>
			<form action="$php_self" method="post">
			<p class="bold">E-mail Address<br/>
			<input type="text" name="email" value="" size="10" maxlength="15"></p>
			<p class="bold">Password<br/>
			<input type="password" name="password" balue="" size="10" maxlength="15"></p>
			<p><input type="submit" name="submit" value="Login"></p>
</form>
		</td>
	</tr>
</table>
EOLOGINFORM;

echo $login_form;
?>

on validated page:

	<?php
		$email =  $_COOKIE['email'];
		$result= mysql_query("SELECT firstname,lastname FROM crc1.tblusers where emailaddress='$email'");
			if (mysql_num_rows($result)< 1) {
			    echo 'No rows returns';
			}elseif (mysql_num_rows($result)>0){
			while($row=sql_fetch_array($result)){
			$firstname = $row['firstname'];
			$lastname = $row['lastname'];
			$fullname = $firstname.$space.$lastname;
		echo 'Welcome, '.$fullname.'';
		}
	}
		?>

HalfaBee

Move the echo "setcookie '.$email_in.'"; to inbetween the 2 setcookies();

and change it to echo "setcookie $email_in.";

HalfaBee

header ('Location: <a href="http://localhost/debug/debug.php" target="_blank">http://localhost/debug/debug.php</a>');

This is incorrect.

Should be header( "Location: http://localhost/debug/debug.php" );

[deleted]

function user_set_tokens($email_in){
	global $supersecret_hash_padding;
	if (!$email_in){
		$feedback = 'No username';
		return false;
	}
	$email = strtolower($email_in);
	$id_hash = md5($email.$supersecret_hash_padding);

setcookie('email',$email,(time()+2592000));
echo "setcookie $email_in.";
setcookie('id_hash',$id_hash,(time()+2592000));

}
[/PHP

Nothing echoed.

For the Header the forum must have done something because it is coded the same way you coded it.

HalfaBee

Add this

} // endif
else
echo 'Bad Query '.mysql_error();

[deleted]

I added the code so my function user_login() looks likes this

function user_login(){ 
    //This function will only work with superglobal arrays, because 
    //I'm not passing in any values or declaring glbals 
    dbConnect('crc1'); 
    if (!$_POST['email'] || !$_POST['password']){ 
        $feedback = 'ERROR- Missing e-mail address or password'; 
        return $feedback; 
    }else{ 
        $email = strtolower($_POST['email']); 

    //Don't need to trim because extra spaces should fail for this 
    //Don't need to addslashes because single quotes aren't allowed 
    $password = strtolower($_POST['password']); 
    //Don't need to addslashes because we'll be hashing it 
    $crypt_pwd = md5($password); 
    $qValidate = "SELECT firstname,lastname,status_id 
                 FROM tblusers 
                 WHERE emailaddress = '$email' 
                 AND password = '$crypt_pwd'"; 
	echo $qValidate;
    $result = mysql_query($qValidate); 
    if($result!==False){ 
        while($row=mysql_fetch_array($result)){ 
            $firstname = $row['firstname']; 
            $lastname = $row['lastname']; 
            $space = '&nbsp;'; 
            $fullname = $firstname.$space.$lastname; 

            if (!$result || mysql_num_rows($result) < 1){ 
                $feedback = 'ERROR- User not found or password incorrect'; 
                return $feedback; 
            }else{ 
                if ( $row['status_id']=='1'){ 
                    user_set_tokens($email); 
                    return 1; 
                }else{ 
                    $feedback = 'ERROR- You may not have confirmed your account yet'; 
                    return $feedback; 
                } 
            } 
        } // end while 
   	} // endif 
	else 
		echo 'Bad Query '.mysql_error();
} 
}

Bad Query was not displayed.