So I have a simple login + set cookie script. After checking to see if the supplied credentials are in the db, the script sets a cookie. After this, the script forwards the user to a password protected page.

I know the login + cookie placing script works fine. When I try the wrong credentials it fails like it should and when I enter the right credentials it sets a cookie (i can see it in my cookies on my browser).

The problem comes when I try to read the cookies back to make sure a user is credentialed for a certain page.

Here is my cookie-reading part of the script:

<?php
$user = $_COOKIE['user']; //gets the user from the cookies
$pass = $_COOKIE['pass']; //gets the pass from cookies
include("connect.php"); // connects to our database

$login = mysql_query("SELECT * FROM members WHERE username='$user' AND password='$pass'") or die(mysql_error()); //selects info from our table if the row has the same user and pass that our cookies do
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
  header("Location: index.php");  //redirects to our login page
  die(); //stops the page from going any further
}
?>

And, for reference, this is the cookie placing part of the other script:

if($count==1){
 setcookie("user", $myusername, time()+3600);//sets our user cookie
 setcookie("pass", $mypassword, time()+3600);//sets our pass cookie
 header("Location:../index_pinit.php");
  
}
else {
	header("location:../oops.html");
}

What am I doing wrong? Why can't I read the cookies back?

Recommended Answers

All 9 Replies

Try making this your second page and see if any header errors are reported when the cookies are set.

if($count==1){
 setcookie("user", $myusername, time()+3600);//sets our user cookie
 setcookie("pass", $mypassword, time()+3600);//sets our pass cookie
 //header("Location:../index_pinit.php");
  
}
else {
	header("location:../oops.html");
}

Bear in mind that some users may choose to set their browsers to accept or decline cookie requests.

I don't have the whole picture from what you've entered but you may find that $_SESSION variables will do the job for you instead. They have super-global scope.

However sessions also use cookies unless you embed the sesssion id in the url.

I would use sessions instead actually, they are more secure as cookies in my opinion, you can read all data cookies send in your browser, but sessions are a bit harder to read becuase they are encoded. They are actually encoded cookies, ...

I would use sessions instead actually, they are more secure as cookies in my opinion, you can read all data cookies send in your browser, but sessions are a bit harder to read becuase they are encoded. They are actually encoded cookies, ...

I agree

So in your connect.php script, after your query, put something like:

$_SESSION['user'] = $row['user'];
$_SESSION['pass'] = $row['pass'];

Then in your login script, replace

$user = $_COOKIE['user']; //gets the user from the cookies
$pass = $_COOKIE['pass']; //gets the pass from cookies

With

$user = $_SESSION['user'];
$pass = $_SESSION['pass'];

Then in your logout script unset the session.

So in your connect.php script, after your query, put something like:

$_SESSION['user'] = $row['user'];
$_SESSION['pass'] = $row['pass'];

Then in your login script, replace

$user = $_COOKIE['user']; //gets the user from the cookies
$pass = $_COOKIE['pass']; //gets the pass from cookies

With

$user = $_SESSION['user'];
$pass = $_SESSION['pass'];

Then in your logout script unset the session.

I would never do it that way in case the session was somehow hacked. Instead only store the username in the session and validate the password with $_POST['pass'] . After that has been validated set $_SESSION['user'] to the username. Then to check if the person is logged in use if(isset($_SESSION['user'])) . But never store a password or even a hashed password in a session or cookie even though sessions are server side. It's just good practice.

I agree with cwarn23

I'd md5 the username and password (creating a 'key'), or hash the user email, and store that in the session instead of 1 using an unsecured cookie, or 2, using an unsecured username and password.
Beware that this method is very insecure and allows for SQL injection hacks. Run a mysql_real_escape on the query, or use the mysqli prepared statements feature to prevent this.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.