1.) On my common.inc.php script I have this
I have a function called printHeader()PHP Code:$username = $_COOKIE['Bestwebusername'];
$logged_in = $_COOKIE['Bestweblogged'];
$cookie_password = $_COOKIE['Bestwebpassword'];
and it looks like this
2.) loginbox.php file is something like this:PHP Code:<?php
function PrintHead ($title) {
Global $username;
Global $cookie_password;
Global $logged_in;
Global $title;
$SQL = "SELECT * FROM bweb_users where username='$username'";
$result = mysql_query($SQL);
$rows = mysql_fetch_array($result);
$pass = $rows[password];
if ($pass!=$cookie_password):
setcookie("Bestweblogged","",time()-155555, "/", "", 0);
setcookie("Bestwebusername","",time()-155555, "/", "", 0);
setcookie("Bestwebpassword","",time()-155555, "/", "", 0);
endif;
?>
<html>
<head>
<body class="body" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<?php include("C:/xampp/htdocs/loginbox.php"); ?>
3.) Login.php script is comparing form_username and form_password with the mysql equivalents and (if true) throwing these 3 cookiesPHP Code:<?php
if($logged_in=='yes'):
print hello $username;
else;
print "html login.php form;"
endif;
So, my question is. Is this way somehow safe?PHP Code:setcookie("Bestweblogged","yes", time()+3600, "/", "", 0);
setcookie("Bestwebusername","$form_username", time()+3600, "/", "", 0);
setcookie("Bestwebpassword","$pass", time()+3600, "/", "", 0);
Basically I am throwing them 3 cookies
username
password (md5 of course)
login status (Y or N)
Even other users(hackers) go change the cookie username value to something else. Since they don't know the password they can't get in.
I read on PHP.net site that people steal cookies. How is this possible?
I am not leaning towards the use of sessions(yet) since I want my visitors to be able to come back and read the messages without needing to log back in. This will be for a forum.
Thanks in advance and sorry, about these beginner questions.
Originally Posted by Gaheris
Bookmarks