Error with cookie

tristanlee85

There seems to be an issue with my cookie when a user has closed out of a browser windows instead of logging out before hand. Basically, here is my login script to set the cookie:

<?php
// expire cookie
setcookie ("loggedin", "", time() - 3600);

include("include.php"); 

// connect to the mysql server
$link = mysql_connect($server, $username, $password)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

switch($_GET['action'])
{
   case "newpass":
   $user = $_POST['user'];
   setcookie("loggedin", "TRUE", time()+(3600 * 24));
   setcookie("fedex_username", "$user");

   include("cookie.php");
   $pass = $_POST['password'];//get password from form
   $pass2 = $_POST['password2'];//get password2 from form

   //USER AND PASSWORD LENGTH CHECK
   $min_length = 6; //this value is the minimal length that we desire our passwords 
   //to be if the username or the password is shorter than 6 chars the user is sent 
   //to a previously prepared custom error page
echo "<div align=\"center\">";
if(strlen($pass) < $min_length)
{
    echo "Sorry, but your password is less than $min_length characters.<br>";
    echo "<a href=\"javascript: history.go(-1);\">Try again</a>";
    die();
}
   if (($pass)!=($pass2)) //if the values stored in the 2 variables are 
//different we redirect the users to a previously created error page
{
    echo "Sorry, but your passwords do not match.<br>";
    echo "<a href=\"javascript: history.go(-1);\">Try again</a>";
    die();
}
   $query = "UPDATE members SET password = '".md5($_POST['password'])."' WHERE user = '$fedex_username'";
   mysql_query($query);
   echo "<meta http-equiv=\"refresh\" content=\"3;URL=/fedex1/\"><base target=\"_parent\">Thank you for updating your password. You will be redirected to the main page.";
   echo "</div>";
   die();
   break;
}

$pass = md5($_POST['password']);
$temp_pass = md5("fedexeval1");

$match = "select id from members where user = '".$_POST['user']."'
and password = '".md5($_POST['password'])."';"; 

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) { 
echo "<div align=\"center\">";
echo "Sorry, there is no username \"$user\" with the specified password. Please check your information.<br>";
echo "<a href=\"javascript: history.go(-1);\">Try again</a>";
echo "</div>";
exit; 
} else {

//**********************************************************************
//Set the cookie
//**********************************************************************
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("fedex_username", "$user");
if ($pass == $temp_pass)
{
	echo "<div align=\"center\">";
	echo "You are now logged in, <b>$user</b>, but you are required to change your password.<br><form action=\"user_login.php?action=newpass\" method=\"POST\"><table align=\"center\" width=\"30%\"><tr>
<td>Password<br>(6 - 12 characters):</td>
<td><input type=\"hidden\" name=\"user\" value=\"$user\"><input type=\"password\" name=\"password\" size=\"20\"></td>
</tr>
<tr>
<td>Re-enter password:</td>
<td><input type=\"password\" name=\"password2\" size=\"20\"></td>
</tr>
<tr align=\"center\">
<td colspan=\"2\"><input type=\"submit\" value=\"Update\"></td>
</tr></table></form><br>";
echo "</div/>";
}

else
{
echo "<div align=\"center\">";
echo "<meta http-equiv=\"refresh\" content=\"2;URL=javascript:window.open('/fedex1/','_parent');\">Thank you for logging in, $user! Please wait...<br>";
echo "</div>";
}
}
//echo "</div>";
?>

About 3/4 of the way down is where the cookie is set. Now, it works all fine througout the system while the user is still on the website. At the top of the page, it displays "Welcome, tristanlee85. [ logout ]" If I close out of the browser completely, open it, and go back to the site, it then says "Welcome, . [ logout ]"

Here is the script to check whether the user is logged in or not, and if so, display the "Welcome" text.

<?php
$fedex_username = $HTTP_COOKIE_VARS["fedex_username"];
if (!isset($_COOKIE['loggedin']))
	{
	echo "";
	}
	else
	{
	echo "<td align=\"center\"><font color=\"00cc00\">[</font><a href=\"roster.php\" target=\"main\">Manage Employee Roster</a><font color=\"00cc00\">]</font> | <font color=\"00cc00\">[</font><a href=\"add_eval.php\" target=\"main\">Submit Evaluations</a><font color=\"00cc00\">]</font> | <font color=\"00cc00\">[</font><a href=\"view_eval.php\" target=\"_new\">View Evaluations</a><font color=\"00cc00\">]</font> | <font color=\"00cc00\">[</font><a href=\"tools.php\" target=\"main\">Database Tools</a><font color=\"00cc00\">]</font></td></tr><tr><td colspan=\"2\" align=\"left\">Welcome, $fedex_username. [ <a href=\"logout.php\" target=\"_parent\">logout</a> ]";
	}
?>

And here is my script to expire the cookie (log the user out):

<?php

// expire cookie
setcookie ("loggedin", "", time() - 3600);
$user = $_POST['user'];

echo "<meta http-equiv=\"refresh\" content=\"2;URL=javascript:window.open('/fedex1/','_parent');\">Logging <b>$user</b> out of the system...";

?>

Instead of using a cookie that isn't expiring correctly or something, I'd like to try and use a $_SESSION. It seems a lot better. The only problem I can see myself running into is that I include a cookie.php file in all my pages. This is what's in the file:

$fedex_username = $HTTP_COOKIE_VARS["fedex_username"];

The only problem I can see having is $fedex_username is called from quite a few pages. Here's an example:

//Get employee's position
$getpos="SELECT position FROM employees WHERE owner = '$fedex_username'";
$posquery=mysql_query($getpos);
$gotposition = mysql_fetch_row($posquery);

Basically, it gets the positions from the 'employees' table that match the "owner" being the person that is logged in. So, how can I remove this cookie stuff, use sessions, and still be able to select from a database depending on the logged in user?