Thease Cookie are going of! yuk!

CMarshall81

Hi, I hope some awesome person can help me. I have created a login in script, that check's if the user have entered the correct data compared to the data save in the database. Then gives access to the members area while setting a cookie to remember the log in and the users name. This all works. However what the issue is you might be asking, is when I try to tailor the working parts to the design of the site. If i add HTML coding after or before or around the following coding:

<?php
ob_start();

include("config.php"); 

// connect to the mysql server 
$link = mysql_connect($server, $db_user, $db_pass) 
or die ("Could not connect to mysql because ".mysql_error()); 

// select the database 
mysql_select_db($database) 
or die ("Could not select database because ".mysql_error()); 

$match = "select id from $table where username = '".$_POST['username']."' 
and password = '".$_POST['password']."';"; 

$qry = mysql_query($match) 
or die ("Could not match data because ".mysql_error()); 
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) { 
echo "Sorry, there is no username $username with the specified password.<br>"; 
echo "<a href=login.html>Try again</a>"; 
exit; 
} else { 

setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "$username");
echo "You are now logged in!<br>"; 
echo "Continue to the <a href=members.php>members</a> section."; 
}
ob_end_flush();
?>

It fails to keep the session when you continue to the members area.

just in case this how it is all working:

members.php(Not logged in?)----> login.html--->login.php(this is the problematic code)---->members.php(welcome user)

hope someone can help.

Cirag

alanzhao


setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "$username");

make sure you call setcookie correctly:

$username = $_POST['username'];
setcookie("loggedin", "TRUE", time() + 3600 * 24);
setcookie("mysite_username", $username,time()+3600*24) ;

However this is not a safe practice. We can just go to the cookie file change it to "TRUE"

Username or password saved in cookie should be encrypted.

CMarshall81

Hi there, thanks for the reply and the advice alanzhao. Your code looks and feels like it is right and i think it does work. However it think there is something else going on with my code. As i mentioned before I have 4 pages:

adminLoginFrom.php

<form action="adminLogin.php" method="post">
Username: <input type="text" name="username" size="20"><br>
Password: <input type="password" name="password" size="20"><br>
<input type="submit" value="Log In">
</form>

adminLogin.php

<?php
ob_start();

include("config.php"); 

// connect to the mysql server 
$link = mysql_connect($server, $db_user, $db_pass) 
or die ("Could not connect to mysql because ".mysql_error()); 

// select the database 
mysql_select_db($database) 
or die ("Could not select database because ".mysql_error()); 

$match = "SELECT adminID FROM admin WHERE username = '".$_POST['username']."' 
and password = '".$_POST['password']."';"; 

$qry = mysql_query($match) 
or die ("Could not match data because ".mysql_error()); 
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) { 
echo "Sorry, there is no username $username with the specified password.<br>"; 
echo "<a href=adminLoginForm.php>Try again</a>"; 
exit; 
} else { 

$username = $_POST['username'];
setcookie("adminLoggedIn", "TRUE", time()+3600*24);
setcookie("mysite_username", $username, time()+3600*24);
echo "You are now logged in!<br />";
echo "Continue to the <a href=\"admin.php\">Admin Page</a>.";
}
ob_end_flush();
?>

admin.php

	[code=php]<?php if (!isset($_COOKIE['adminLoggedIn'])) die("You are not logged in!<br><a href=adminLoginForm.php>log in</a>");

$mysite_username = $HTTP_COOKIE_VARS["mysite_username"];
echo "Welcome to the members area, $mysite_username.<p>";
?>
<a href="adminLogOut.php">Log Out</a>[/code]

adminLogOut.php

<?php

// expire cookie
setcookie("adminLoggedIn", "", mktime(12,0,0,1, 1, 1990));
echo "You are now logged out.<br />";
echo "<a href=\"admin.php\">Log in</a>";

?>

Still when I add HTML coding to "adminLogin.php" it fails to pass the cookie to "admin.php". Even with out the HTML, it passes the cookie containing the confirmed login but when I try to log out, "adminLogOut.php" fails to kill the cookie.

Thanks again for your help before, but sorry to be a pain but could you see where else I'm going wrong, t kinda driving me nuts.