User authentication with cookie. I can't see what's wrong

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
stuck
Forum Newbie
Posts: 4
Joined: Thu Aug 14, 2003 4:29 pm
Location: Canada

User authentication with cookie. I can't see what's wrong

Post by stuck »

This is the script used in the file that verifies the user-pass and it seems to be alright.

Code: Select all

<? 
if($username && $password) &#123; 
   mysql_connect("localhost","root","") or die ("Whoops");    
  $password = ($password);          
  $sql = "select * from utilisateurs where username='$username'";    
  $r = mysql_db_query("micmacs",$sql);  
  if(!mysql_num_rows($r)) 
    header("Location: authentification.php");  
   $user = mysql_fetch_array($r); 
  if($user&#1111;"password"] == $password) &#123;    
    $password = ($password);                                                
   setcookie("micmacs_login","$username $password"); 
$msg = "<meta http-equiv="Refresh" content="0;url=./soumettre.php">"; 
  &#125;else&#123; 
     header("Location: authentification.php"); 
  &#125; 
&#125; 
if ($msg) echo $msg; 
?>
When I add the following script as an include to restrict access to the next page, the cookie in the first script doesn't seem to be set.

Code: Select all

<? 
if(!$_COOKIE&#1111;'micmacs_login']) 
  header("Location: authentification.php"); 
$known=$micmacs_login; 
if($known) &#123;      
  mysql_connect("localhost","root","") or die ("Whoops");  
  $user = explode("","$known");  

  $sql = "select * from utilisateurs where username='$user&#1111;0]'";  
  $r = mysql_db_query("micmacs",$sql);  

  if(!mysql_num_rows($r)) &#123;    
    header("Location: authentification.php");    
  &#125; 

  $chkusr = mysql_fetch_array($r); 
  if(($user&#1111;1]) != $chkusr&#1111;1]) 
    header("Location: authentification.php");        
&#125;                                                      
?>
I've been working on this all day and can't figure out how to fix the problem.
User avatar
nigma
DevNet Resident
Posts: 1094
Joined: Sat Jan 25, 2003 1:49 am

Post by nigma »

I couldn't understand what your motivation for doing some of the stuff I saw in the scripts was. But I also use cookie based authentication on my website and something like this would work:

Script #1 - validate.php - To check if username and password are valid

Code: Select all

<?php
define(HOST, "hostname");  // Define the mySQL server address
define(USER, "username");  // Define the mySQL username
define(PASS, "password");   // Define the mySQL password
define(DBNAME, "dbname");// Define the mySQL database name
define(TABLE, "table");        // Define the mySQL table containing user information 

$user = $_POST&#1111;'username']; /* If you are using the GET method replace POST with GET */
$pass = $_POST&#1111;'password']; /* If you are using the GET method replace POST with GET */

if (!(empty($user) || empty($pass)))
&#123;
  mysql_connect(HOST, USER, PASS);
  mysql_select_db(DBNAME);
  $result = mysql_query("select username, password from " . TABLE . " where username='$user' AND password='$pass'");
  if (mysql_num_rows($result) >= 1)
  &#123;
    setcookie("micmacs_login","$username $password");
    print 'You logged in!';
  &#125;
  else
  &#123;
    print 'Invalid authentication information entered.';
    die();
  &#125; 
&#125;
else
&#123;
  print 'Please go back and complete the login form.';
&#125;
?>
In my opinion I think it is a good idea to define the mySQL information at the top so that if you ever need to give this script to someone else they can just change all those values without having to scan the code for their entries.

Script #2 - checkUser.php - Script to include at the top of files you want to be protected

Code: Select all

<?php
  if (!$COOKIE&#1111;'micmacs_login'])
  &#123;
     print 'You have not logged in.';
     die();
  &#125;
  else &#123; &#125;
?>
Reply if you have any questions.
User avatar
nigma
DevNet Resident
Posts: 1094
Joined: Sat Jan 25, 2003 1:49 am

Post by nigma »

test
stuck
Forum Newbie
Posts: 4
Joined: Thu Aug 14, 2003 4:29 pm
Location: Canada

Post by stuck »

Thank you.
I replaced the scripts with yours and it worked with the print commands. Then I replaced the print commands with:
header("Location: backtoform.php"); //When user not logged in.

or

$msg = "<meta http-equiv=\"Refresh\" content=\"0;url=./protectedpage.php\">";
and
if ($msg) echo $msg; // If user logged in

At this point. I get to the secured page but like I don't have the cookie installed. It prints: You have not logged in.

I tried so many things I'm starting to think there's something wrong with my browsers.

Thanks for any hint you may give me. It's greatly appreciated.
Marc.
User avatar
nigma
DevNet Resident
Posts: 1094
Joined: Sat Jan 25, 2003 1:49 am

Post by nigma »

Is the protected page in the same directory as your validate.php and checkUser.php files?
stuck
Forum Newbie
Posts: 4
Joined: Thu Aug 14, 2003 4:29 pm
Location: Canada

Post by stuck »

The protected page and validate.php are in the same directory. Checkuser.php has been renamed checkuser.inc and is an includes directory.
I insert checkuser.inc as in inclusion in the page to protect so it's virtually in the same directory I guess.
It seems checkuser doesn't retrieve the cookie or validate doesn't set it.
I'll test a few more things. Tell me if you have any idea.
Regards.
stuck
Forum Newbie
Posts: 4
Joined: Thu Aug 14, 2003 4:29 pm
Location: Canada

Post by stuck »

I tried access the page. I went through the form, through validate.php and then reached the protected page. Then, checkuser.php sent the not logged in message.
I went to the cookie folder on my PC. The cookie which had to be set through validate.php hadn't been created.
User avatar
nigma
DevNet Resident
Posts: 1094
Joined: Sat Jan 25, 2003 1:49 am

Post by nigma »

Okay, I know what is wrong, we set the cookie wrong, here is one of the proper ways to set a cookie.

Code: Select all

$cook_life = time() + 8400;
setcookie("cookiename", "cookiedata", $cook_life, "/", "", 0);
I will put a link at the bottom to the page where I learned how to set cookies correct and the page also explains what all the arguments to setcookie() do.

http://www.onlamp.com/pub/a/php/excerpt/webdbapps_8/
Go there and scroll down to "Example 8-1: Setting a cookie using PHP"

Tell me if it works out?
Post Reply