PHP Cookie Login System

Question

I am having a problem with the cookies finding the cookies stored from my login page.Here is my login page code:

<?php 
// Connects to your Database 
include("dbconnect.php");
mysql_select_db("maxgee_close2");
//Checks if there is a login cookie

if(isset($_COOKIE['ID_my_site']))
 //if there is, it logs you in and directes you to the members page
{ 
    $username = $_COOKIE['ID_my_site']; 
    $password = $_COOKIE['Key_my_site'];
    $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
    while($info = mysql_fetch_array( $check )) 
    {
        if ($password != $info['password'])
        {
        }
        else
        {
            header("Location: members.php");
        }
    }
}
//if the login form is submitted 
if (isset($_POST['submit'])) { // if form has been submitted
 // makes sure they filled it in
    if(!$_POST['username'] | !$_POST['password']) {
        die('You did not fill in a required field.');
    }
    // checks it against the database

    if (!get_magic_quotes_gpc()) {
        $_POST['email'] = addslashes($_POST['email']);
    }
    $check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

    //Gives error if user dosen't exist
    $check2 = mysql_num_rows($check);
    if ($check2 == 0) {
        die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');
    }
    while($info = mysql_fetch_array( $check ))  
    {
        $_POST['password'] = stripslashes($_POST['password']);

        $info['password'] = stripslashes($info['password']);

        $_POST['password'] = md5($_POST['password']);

        //gives error if the password is wrong

        if ($_POST['password'] != $info['password']) {
            die('Incorrect password, please try again.');
        }
        else 
        { 
            // if login is ok then we add a cookie 
           setcookie("TestCookie", $value, time()+3600);  /* expire in 1 hour */


          //then redirect them to the members area and the line with the error
          header("Location: members.php");
        }
    } 
  }
  else
  { 
    // if they are not logged in
     ?>
     <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
     <h1>Login</h1>
     Username:
    <input type="text" name="username" maxlength="40"> 
    Password:
    <input type="password" name="password" maxlength="50"> 
    <input type="submit" name="submit" value="Login">
    </form> 
<?php 
 } 
 include("topsite.php");
?>

Members Page: Here is the page that cant find the cookies I have found the cookies saved in my browser this page just cant find them:

<?php 
include("dbconnect.php");
mysql_select_db("maxgee_close2");

//checks cookies to make sure they are logged in 

if(isset($_COOKIE['maxgee.me'])) 

 { 

$username = $_COOKIE['maxgee.me']; 

$password = $_COOKIE['maxgee.me']; 

    $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); 

while($info = mysql_fetch_array( $check ))   

    { 



  //if the cookie has the wrong password, they are taken to the login page 

    if ($password != $info['password']) 

        {           header("Location: login_test.php"); 

        } 



    //otherwise they are shown the admin area    

else 

        { 

         echo "Admin Area<p>"; 

   echo "Your Content<p>"; 

   echo "<a href=logout.php>Logout</a>"; 

        } 

    } 

    } 

    else 



   //if the cookie does not exist, they are taken to the login screen 

  {          

   header("Location: login_test.php"); 

   } 

   ?>

Please, don't use `mysql_*` functions to write new code. They are no longer maintained and the community has begun [deprecation process](http://news.php.net/php.internals/53799). See the [red box](http://uk.php.net/manual/en/function.mysql-connect.php)? Instead you should learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) and use either [PDO](http://stackoverflow.com/questions/13000289/create-mysql-table-with-php-variable-not-working#13000306) or [MySQLi](http://in3.php.net/mysqli). — NullPoiиteя, Oct 22 '12 at 05:48
If you can't decide which, [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you. If you pick PDO, [here is good tutorial](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers). Also see [Why shouldn't I use mysql functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-function-in-php) — NullPoiиteя, Oct 22 '12 at 05:48

score 0 · Accepted Answer · answered Oct 22 '12 at 05:54

0

you have an error in the login script.

if(!$_POST['username'] | !$_POST['password']) {
    die('You did not fill in a required field.');
}

and it should be

if(!$_POST['username'] || !$_POST['password']) {
    die('You did not fill in a required field.');
}

Also you are not storing the cookie in your login page. Look out for the comment

// if login is ok then we add a cookie

You have not added the cookie there. Below is the way to add cookie.

setcookie("TestCookie", $value);

Below is the way to set cookie with time.

setcookie("TestCookie", $value, time()+3600);  /* expire in 1 hour */

And below is the way to retrieve cookie.

echo $_COOKIE["TestCookie"];

answered Oct 22 '12 at 05:54

Abhishek Saha

2,564
1
19
29

I got what you were saying to change on the first part but where would I put the setcookie part and what would I need to replace?And would I put the echo cookie on the members page? – maxgee Oct 22 '12 at 05:58
Do I have to have the echo Part? – maxgee Oct 22 '12 at 06:04
You can put the setcookie part after the comment // if login is ok then we add a cookie and before the line header("Location: members.php"); – Abhishek Saha Oct 22 '12 at 06:37
No you do not have to echo it. $_COOKIE['TestCookie'] acts like a variable. You can use it to to compare the values stored in your database to validate a user. – Abhishek Saha Oct 22 '12 at 06:38
where do i put the $_COOKIE["TestCookie"]; part...on my login page or my members page? – maxgee Oct 22 '12 at 07:49
you should add that on the members page. because you will use the value of that variable to compare the value in your database. – Abhishek Saha Oct 22 '12 at 08:01
so it should look like this or the first real line of my members page above if you cant read this: if(isset($_COOKIE['maxgee.me'])) { $username = $_COOKIE['maxgee.me']; $password = $_COOKIE['maxgee.me']; $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); – maxgee Oct 22 '12 at 08:11
How can your username and password have the same cookie variable "$_COOKIE['maxgee.me']" ? In your login page, you should have two cookie variables like this. setcookie("'maxgee_me_user", $username); setcookie("'maxgee_me_password", $password); And then in your members page, if(isset($_COOKIE['maxgee_me_user'])) { $username = $_COOKIE['maxgee_me_user']; $password = $_COOKIE['maxgee_me_password']; $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); – Abhishek Saha Oct 22 '12 at 08:40
Also in your login page, $username = $_POST['username'] and $password = $_POST['password'] – Abhishek Saha Oct 22 '12 at 08:41
sorry for not marking your answer as solved.I was asleep I have marked it as solved and greatly appreciate your help! – maxgee Oct 22 '12 at 17:34
Thanks @maxgee, i greatly appreciate your kindness. – Abhishek Saha Oct 22 '12 at 17:35
One more quick question I have....How would I end the cookie for like a logout page? – maxgee Oct 22 '12 at 17:48
Yes. You can set the expiration date to one hour ago setcookie("maxgee_me_user", "", time()-3600); setcookie("maxgee_me_password", "", time()-3600); So basically we are expiring the cookie, which deletes it. – Abhishek Saha Oct 22 '12 at 17:53

score 0 · Answer 2 · edited May 23 '17 at 12:27

0

I realize this might not be what you want to hear, but I think you need to start over on this code. For starters, you are writing directly to $_POST, which is just a bad idea when it comes to debugging. In addition, you appear to be storing the password in clear text in the database as well as storing it in the cookie! Your site is going to be a hacker's wet dream. Please check out this post:

PHP best practices for user authentication and password security

edited May 23 '17 at 12:27

Community

1
1

answered Oct 22 '12 at 05:59

Joshua Kaiser

1,461
9
17

I have the passwords saved as a MD5 in the database but how would I change the way it is viewed in the cookie or would I need too? – maxgee Oct 22 '12 at 06:01
In that case, see my article on responsible password management to find out why md5 is bad. http://bit.ly/Sda8BW You shouldn't store the password, encrypted or not, in the cookie. You COULD store some sort of related token on it. The article that I posted in my answer will point you to several good, already built solutions for authentication in PHP that don't require you to reinvent the wheel. Honestly, this is an area that is really easy to mess up, and I would suggest using a library or framework of some sort to do it. That would also address the issues that @NullPointer pointed out. – Joshua Kaiser Oct 22 '12 at 06:07
Ok I get what you are saying to use like a verfication key...I will forsure check out your article – maxgee Oct 22 '12 at 06:13

PHP Cookie Login System

2 Answers2