SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Enthusiast johnoz's Avatar
    Join Date
    Mar 2002
    Location
    here
    Posts
    95
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Cookie authentication Pros & Cons

    1.) On my common.inc.php script I have this

    PHP Code:
    $username $_COOKIE['Bestwebusername'];
    $logged_in $_COOKIE['Bestweblogged'];
    $cookie_password $_COOKIE['Bestwebpassword']; 
    I have a function called printHeader()

    and it looks like this
    PHP Code:
    <?php
    function PrintHead ($title) {
       Global 
    $username;
      Global 
    $cookie_password;
      Global 
    $logged_in;
      Global 
    $title;
      
        
    $SQL "SELECT * FROM bweb_users where username='$username'";
        
    $result mysql_query($SQL);
        
    $rows mysql_fetch_array($result);
        
    $pass $rows[password];

        if (
    $pass!=$cookie_password):
             
    setcookie("Bestweblogged","",time()-155555"/"""0);
            
    setcookie("Bestwebusername","",time()-155555"/"""0);
            
    setcookie("Bestwebpassword","",time()-155555"/"""0);
        endif;

    ?>
      <html>
      <head>
       <body class="body" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
       <?php   include("C:/xampp/htdocs/loginbox.php"); ?>
    2.) loginbox.php file is something like this:

    PHP Code:
        <?php  
        
    if($logged_in=='yes'):
    print 
    hello $username;
    else;
    print 
    "html login.php form;"
        
    endif;
    3.) Login.php script is comparing form_username and form_password with the mysql equivalents and (if true) throwing these 3 cookies

    PHP Code:
     setcookie("Bestweblogged","yes"time()+3600"/"""0);
     
    setcookie("Bestwebusername","$form_username"time()+3600"/"""0);
     
    setcookie("Bestwebpassword","$pass"time()+3600"/"""0); 
    So, my question is. Is this way somehow safe?
    Basically I am throwing them 3 cookies

    username
    password (md5 of course)
    login status (Y or N)


    Even other users(hackers) go change the cookie username value to something else. Since they don't know the password they can't get in.

    I read on PHP.net site that people steal cookies. How is this possible?

    I am not leaning towards the use of sessions(yet) since I want my visitors to be able to come back and read the messages without needing to log back in. This will be for a forum.

    Thanks in advance and sorry, about these beginner questions.

  2. #2
    PHP manual bot bronze trophy Gaheris's Avatar
    Join Date
    Oct 2003
    Location
    Germany
    Posts
    2,195
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What happens if I change the content of the Bestweblogged cookie? Anyway, I hope you aren't saving the password in the cookie as clear text but rather as a md5 hash (or another type of hash).

  3. #3
    SitePoint Enthusiast johnoz's Avatar
    Join Date
    Mar 2002
    Location
    here
    Posts
    95
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you Gaheris.

    On the printHead function when I compare the md5 password and username (will change this to user id later) if the password from database doesn't match with the cookie one i expire the Bestweblogged cookie.

    Is this the proper way to do it?

    TIA

    Quote Originally Posted by Gaheris
    What happens if I change the content of the Bestweblogged cookie? Anyway, I hope you aren't saving the password in the cookie as clear text but rather as a md5 hash (or another type of hash).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •