Sessions and Cookies help please

TimC

Hi guys,

I'm new to the forum today, I'm currently developing a PHP based website which will allow logins, profiles, and a search of all profiles etc...

Each person should be able to login and edit their profile securely. Therefore I need a login system.

At the moment, I have an index page which includes a header, the header checks if there is a cookie which exists on that persons machine, or if there is a session currently running.

The problem I have is the login page, I have a checkbox that asks if they want their password to be remembered. Based on that decision, it either starts a cookie or a session. The problem with that is that this code has to come at the top of the file, which means I can't put the cookie/session stuff at the top, so I'm getting the "Headers already sent error".

I thought I could cheat the system and use functions, but that doesn't work as when the function is called, it still gives the error.

Anyway, heres some code:

loginform.htm:
(this has more html round it, but i left that out because its irrelevant)

<form action="login.php" method=POST>

<center>
   <table border=1 bordercolor=#000000 width=50%>
      <tr>
        <td>Username:</td>
        <td><INPUT type=TEXT name=username width=25></td>
      </tr>

  <tr>
    <td>Password:</td>
    <td><INPUT type=password name=password width=25></td>
  </tr>

  <tr>
    <td colspan=2><center><INPUT type=checkbox name=remember> Remember your username and password?</center></td>
  </tr>

  <tr>
     <td colspan=2><center><INPUT type=submit value="Login!"></center></td>
  </tr>
   </table>
</center>

</form>

and the action behind the form, login.php:

<?php

  function newCookie(){
    setcookie('username', $_POST['username'], time()+60*2);
    setcookie('password', $_POST['password'], time()+60*2);
  }

  function newSession(){
    session_start();
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['password'] = $_POST['password'];
  }

  $username = $_POST['username'];
  $password = $_POST['password'];

  // do all database stuff here, looking up passwords etc

  if ( ($username == "Tim") && ($password == "pass")){

// lines for debugging
echo $username;
echo "<br>";
echo $password;

 // check the users preference of whether to remember password/username or not
 if ($_POST['remember'] == "on"){
    echo "good";
    newCookie();
    echo "made new cookie";
 }
 else{
    echo "boo";
    newSession();
    echo "made new session";
 }
  }
  // display message if username/password are incorrect
  else
    echo "username and password incorrect";


?>

The headers already sent error depends on if you check the box or not and what function is being called.

Does anyone have any ideas / advice how to get around this?

cheers,
Tim.

gammaster

U can`t 'echo' before session_start().
U echo 'boo' before the funtion newSession() runs session_start().

else{
        // This is wrong.
        echo "boo";
        newSession();
        echo "made new session";
     }

kburger

Send NOTHING to the browser before setting the cookie or starting the session, including your debugging echo statements.

TimC

That still doesn't work I'm afraid, guys.

Is it not that the session and cookie stuff have to be called at the very start, rather than being called later on as a function?

I mean, they have to be executed at the top of the file, they can't be placed at the top of the file and be called later using a function.

I can't think of another way around it, because I have to do all of the checks first to see if they want to be remembered or not, and that means I can't put the session stuff at the top, therefore it won't work... :bemused:

Someone tell me I'm wrong!

kburger

It's hard for me to know what's going on unless I see all your code. Please post it all and I'll have a look.

Also, is the cookie supposed to simply remember the username and password so that the login form will be filled in for them next time, or is the user supposted to be automatically logged in if they have a cookie that has a valid username and password?

TimC

kburger wrote:
It's hard for me to know what's going on unless I see all your code. Please post it all and I'll have a look.

Also, is the cookie supposed to simply remember the username and password so that the login form will be filled in for them next time, or is the user supposted to be automatically logged in if they have a cookie that has a valid username and password?

If they have a valid username and password, they will be logged on automatically.

That is all of the code for the login bit, but the main part of the page that checks if they are logged in or not is this one, header1.php:


<?php

  // if the cookie or session username has a value, they are logged in one way or another
  if ( isset($_COOKIE['username']) || isset($_SESSION['username']) ){

// if its the cookie, get the username from the cookie, otherwise it comes from the session
if (isset($_COOKIE['username']))
  $username = $_COOKIE['username'];
else if (isset($_SESSION['username']))
  $username = $_SESSION['username'];


echo "Hello, ";
echo $username;
echo "&nbsp;";
echo ". Would you like to view your ";

$username = urlencode($username);
echo "<a href='profile.htm?userid=$username'>";
echo "profile";
echo "</a>?";

  }

  // if neither the cookie nor the session username are set, then they need to signup or login
  else{
    echo "You are not logged in. ";

  }
?>

That is included in the main index page of the website as a header.

It all works except the login bit, which doesn't like the checkbox choice of whether to remember the persons login (Which will create a cookie and keep them logged in till the cookie expires - currently 120 seconds), or if they just want to login for that session (until they close their browser).

kburger

kburger wrote:
It's hard for me to know what's going on unless I see all your code. Please post it all and I'll have a look.

This isn't all of it. There's nothing here that sets a cookie or registers a session, or for that matter, verifies that $COOKIE['username'] or $SESSION['username'] matches up with a valid password. Let us see it all (after getting rid of the unnecessary HTML or irrelevant PHP code).

TimC

This is signupsubmit, after they fill in a form with all of their details, this is the action:

<?php
  session_start();
  setcookie('username', $_POST['username'], time()+60*2);
  setcookie('password', $_POST['pass'], time()+60*2);


  echo $_POST['username'];
  echo $_POST['pass'];



?>

As for checking if the username and password are valid, that will be done on the login page, will will connect to the database and check those details against those entered. That part hasn't been implemented yet, its just taken care of by this line:

if ( ($username == "Tim") && ($password == "pass")){

Which will be replaced with all the database stuff which looks up the password and username from the database.