cookie script

clericvash

This is my half working login/cookie script. It logs in fine but you dont stay logged in?

/*
| Core Portal Copyright 2004 Liam Dawe, Olorum
| Module written by Liam Dawe
*/
if (!$_POST['user'] || !$_POST['pass']) {
	print "Please fill out all fields.";
	die;
}
	$_POST['user'] = str_replace("'","", $_POST['user']);
	$_POST['pass'] = str_replace("'","", $_POST['pass']);
	$_POST['user'] = str_replace("+","", $_POST['user']);
	$_POST['pass'] = str_replace("+","", $_POST['pass']);
	$_POST['pass'] = str_replace("-","", $_POST['pass']);
	$_POST['user'] = str_replace(",","", $_POST['user']);
	$_POST['pass'] = str_replace(",","", $_POST['pass']);
$logres = mysql_num_rows(mysql_query("select * from users where user='{$_POST['user']}' and pass='{$_POST['pass']}'"));
if ($logres <= 0) {
	print "Login failed. If you have not already, please signup. Otherwise, check your spelling and login again.";
	die;
} else {
	session_register('user');
	$_SESSION['user'] = $_POST['user'];
	session_register('pass');
	$_SESSION['pass'] = $_POST['pass'];
	session_start();
	print "Welcome. <meta http-equiv=refresh content=0;URL=index.php?module=account> If you are not redirected please click <a href=index.php?module=account>here</a> to continue..";
}

and then the cookies script

/*
| Core Portal Copyright 2004 Liam Dawe, Olorum
| verify.php
| Page written by Liam Dawe
*/
session_start();
// Get all the settings in
include("config.php");

if (isset($_SESSION['user']) && isset ($_SESSION['pass'])) // If the user and pass session is set
{
setcookie('portal_'.$sitename, $_SESSION['user']|$_SESSION['pass'], time()+3600*48); 

if (isset($_COOKIE['portal_'.$sitename])) // If the user and pass cookie is set
{  

$cookie_name = $_COOKIE['portal_'.$sitename];
$cookie_bits = explode('|', $cookie_name);
$cookie_user = $cookie_bits[0];
$cookie_pass = $cookie_bits[1]; 

session_register('user');
$_SESSION['user'] = $cookie_user; // Make session user
session_register('pass');
$_SESSION['pass'] = $cookie_pass; // Make session pass
}

}

// Update a users ip
if (isset($_SESSION['user']) && isset ($_SESSION['pass']))
{
$ip = "$HTTP_SERVER_VARS[REMOTE_ADDR]";
mysql_query("update users SET ip = '".$ip."' WHERE id = '".$stat['id']."'");
}

Weedpacket

You've got a bit of a hairball here:

session_register('user');
$_SESSION['user'] = $_POST['user'];
session_register('pass');
$_SESSION['pass'] = $_POST['pass'];
session_start();

You're wanting something more like

session_start();
$_SESSION['user'] = $_POST['user'];
$_SESSION['pass'] = $_POST['pass'];

clericvash

I changed that bit but it doesnt fix the staying logged in bit, the login is fine its just something to do with the cookies bit?

tsinka

Hi,

the problem might be

$SESSION['user']|$SESSION['pass']

Try it with

$SESSION['user']."|".$SESSION['pass']

But ... are you sure that you want to store the password in a cookie ?

Other problem: If someone chose to use | in his password or username explode would return incorrect values.

Additionally, it might be better to check if the username and password contain invalid characters and telling that the users when they register instead of silently replacing invalid characters. That might cause problems, too.

Thomas

Weedpacket

Leaving aside questions abouts toring the password in a cookie, all this business with "|" could be avoided by using two cookies.

clericvash

I was originally using 2 cookies one for user and one for pass and someone told me its a sloppy way to do it?