Cookie authentication Pros & Cons
1.) On my common.inc.php script I have this
PHP Code:
$username = $_COOKIE['Bestwebusername'];
$logged_in = $_COOKIE['Bestweblogged'];
$cookie_password = $_COOKIE['Bestwebpassword'];
I have a function called printHeader()
and it looks like this
PHP Code:
<?php
function PrintHead ($title) {
Global $username;
Global $cookie_password;
Global $logged_in;
Global $title;
$SQL = "SELECT * FROM bweb_users where username='$username'";
$result = mysql_query($SQL);
$rows = mysql_fetch_array($result);
$pass = $rows[password];
if ($pass!=$cookie_password):
setcookie("Bestweblogged","",time()-155555, "/", "", 0);
setcookie("Bestwebusername","",time()-155555, "/", "", 0);
setcookie("Bestwebpassword","",time()-155555, "/", "", 0);
endif;
?>
<html>
<head>
<body class="body" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<?php include("C:/xampp/htdocs/loginbox.php"); ?>
2.) loginbox.php file is something like this:
PHP Code:
<?php
if($logged_in=='yes'):
print hello $username;
else;
print "html login.php form;"
endif;
3.) Login.php script is comparing form_username and form_password with the mysql equivalents and (if true) throwing these 3 cookies
PHP Code:
setcookie("Bestweblogged","yes", time()+3600, "/", "", 0);
setcookie("Bestwebusername","$form_username", time()+3600, "/", "", 0);
setcookie("Bestwebpassword","$pass", time()+3600, "/", "", 0);
So, my question is. Is this way somehow safe?
Basically I am throwing them 3 cookies
username
password (md5 of course)
login status (Y or N)
Even other users(hackers) go change the cookie username value to something else. Since they don't know the password they can't get in.
I read on PHP.net site that people steal cookies. How is this possible?
I am not leaning towards the use of sessions(yet) since I want my visitors to be able to come back and read the messages without needing to log back in. This will be for a forum.
Thanks in advance and sorry, about these beginner questions.
