Using cookies for user login .....

Question

justted 0 Junior Poster

15 Years Ago

Hello,

I have been looking at tutorials and pages on the net regarding cookies and sessions. Originally I thought my script was using both but then noticed it doesnt. I wanted to know if there is anything wrong with this code as my new server doesnt seem to like my log in script and wont allow access to the members pages.

This is my log in code

$check = fetch("SELECT username,password,verify FROM members WHERE username = '$login_username' AND password = '$encrypted_password' AND game = '$game' ");

if ($check[username])
{
	if($check[verify]==1)
	{
		setcookie("username_$game",$check[username],time()+2678400);
		setcookie("password_$game",$check[password],time()+2678400);
		header("Location: main.php?game=$game");
	}
	elseif($check[verify]==0)
	{
		header("Location: 	login.php?game=$game
	}
}
else
{
	header("Location: login.php?game=$game.");
}

Does anyone know why this is? Also ... are there ways to make this code more secure by using sessions? Would I add a session and then use the cookie info in the session id? Sessions seem to confuse me.

The code used to call the cookies and check the users permission is located into an include file which all pages requiring member access has.

$userCookie = "username_$game";
$passCookie = "password_$game";

$getInfo = fetch("SELECT * FROM members WHERE username = '$HTTP_COOKIE_VARS[$userCookie]' AND password = '$HTTP_COOKIE_VARS[$passCookie]' AND game = '$game'");

$getInfo2 = fetch("SELECT * FROM members_profiles WHERE username = '$getInfo[username]' AND game = '$game'");

$username = $getInfo[username];

Then each page checks the rank level of the user and identifies them by their username and the information pulled by the $getInfo.

Is the very secure and is there a better way to code this? Are there any obvious faults or flaws with the code that may prevent the new server from allowing this code to work?

Many Thanks
Justin

php

3 Contributors
6 Replies
744 Views
10 Hours Discussion Span
Latest Post 15 Years Ago Latest Post by somedude3488

cwarn23 387 Occupation: Genius

15 Years Ago

Although I don't fully get how those 2 scripts merge I can tell you now that you should never store the raw password in a cookie. Instead you should hash it or use sessions like you've suggested. To use sessions it is really really easy. Using sessions is like using variables. Below is an example of 2 pages using sessions where the data will be passed between each other:

<? session_start();
//no browser output before session start
$_SESSION['variable']='asldfkjas;ldfasldkfjasldkjfa;lsdkjfa;';
?>
<a href='page2.php'>Next page</a>

Above is index.php and below is page2.php

<? session_start();
//no browser output before session start!
echo $_SESSION['variable'];
?>

As you can see in the above example it is really simple stuff however when using sessions, only store the username in the session and to check if they are logged in use the following:

if (isset($_SESSION['username'])) {
// logged in.
}

Hope that all helps you understand and the one thing people must note is to never keep a record of somebodys password on their computer and preferable not in the servers long term memory too.

somedude3488 228 Nearly a Posting Virtuoso

15 Years Ago

Here is an session login example I made a few months ago.

http://www.daniweb.com/forums/post832028-20.html and http://www.daniweb.com/forums/post832231-23.html

Take a look and see if it clears up any confusion.

I know this doesn't answer your question, but I figured it might help you create a better login system.

justted commented: Very helpful and knowledgable. A true daniweb addict! +2

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

justted 0 Junior Poster · Answer 1 · 2009-05-08T15:20:24+00:00

Here is an session login example I made a few months ago.
http://www.daniweb.com/forums/post832028-20.html and http://www.daniweb.com/forums/post832231-23.html
Take a look and see if it clears up any confusion.
I know this doesn't answer your question, but I figured it might help you create a better login system.

Hey kk,

This looks brilliant. No joke I have been searching for 3 months to find a log in script that I can use and hopefully integrate into my current script. However ...Ive now decided to attempt to re-code and develop the whole lot from scratch and this looks like a great start.

Will attempt to see if I can get it to work.

Thanks again :)

justted 0 Junior Poster · Answer 2 · 2009-05-08T15:24:08+00:00

Although I don't fully get how those 2 scripts merge I can tell you now that you should never store the raw password in a cookie. Instead you should hash it or use sessions like you've suggested. To use sessions it is really really easy. Using sessions is like using variables. Below is an example of 2 pages using sessions where the data will be passed between each other:
<? session_start();
//no browser output before session start
$_SESSION['variable']='asldfkjas;ldfasldkfjasldkjfa;lsdkjfa;';
?>
<a href='page2.php'>Next page</a>
Above is index.php and below is page2.php
<? session_start();
//no browser output before session start!
echo $_SESSION['variable'];
?>
As you can see in the above example it is really simple stuff however when using sessions, only store the username in the session and to check if they are logged in use the following:
if (isset($_SESSION['username'])) {
// logged in.
}
Hope that all helps you understand and the one thing people must note is to never keep a record of somebodys password on their computer and preferable not in the servers long term memory too.

Hi cw,

Thanks very much for pointing this out. The original script I got was very poorly written and at the time I knew nothing about php. For the past year and a half I have been playing around with code and sadly have based some of my knowledge on the script hence why my knowledge is so skethcy. lol

The script does use MD5 encryption but I want to make it as secure as poss so will try and not use it. :)

Thanks again

justted 0 Junior Poster · Answer 3 · 2009-05-08T15:57:05+00:00

Hmm interesting ... I have uploaded the script to test it out and it works perfect so thanks.

I was wondering if I could ask you a question.

In the table of my members database (which I would have to change to the log in table as per your script) .. I have a field named rank ....

The rank is used to determine what level of access my members have. In the header file there is some code which checks against the database to find the users rank level (3 is normal). It then has at the top of each page a $rank_check = 3;

This checks to ensure that any member whos rank is at least 3 can view the page.

Am I right in saying that if I want to check who a user is and then get information from the database regarding that user that I would check it against the username? Or do I need to set up some sort of session checking code that verifies who the user is.

Does that make sense? :>/

Justin

somedude3488 228 Nearly a Posting Virtuoso · Answer 4 · 2009-05-08T16:23:49+00:00

Just add rank to the login table and make sure you update the registration script to give the proper rank to new users.

In the member area, do this:

<?php

session_start(); //start session so we can see if the user is logged in.

if ( !isset( $_SESSION['auth'] ) ) { // if auth is not in the $_SESSION array (meaning they haven't been to the login page where its set) redirect them to the login page
    header('Location: login.php');
    exit;
}

require('includes/dbconnect.php'); //include database connection

$memid = $_SESSION['auth']; //set member id into $memid.

$query = mysql_query( "SELECT `username`,`rank` FROM `login` WHERE `id` = {$memid}" ); //
$member = mysql_fetch_assoc( $query );

if ( $member['rank'] !== 3 ) { //check if their rank is acceptable
  header('Location: logout.php');
}

echo "Welcome, {$member['username']} <a href=\"logout.php\">Logout</a>";

?>