Page 1 of 1

User authentication with cookie. I can't see what's wrong

Posted: Thu Aug 14, 2003 4:29 pm
by stuck
This is the script used in the file that verifies the user-pass and it seems to be alright.

Code: Select all

<? 
if($username && $password) &#123; 
   mysql_connect("localhost","root","") or die ("Whoops");    
  $password = ($password);          
  $sql = "select * from utilisateurs where username='$username'";    
  $r = mysql_db_query("micmacs",$sql);  
  if(!mysql_num_rows($r)) 
    header("Location: authentification.php");  
   $user = mysql_fetch_array($r); 
  if($user&#1111;"password"] == $password) &#123;    
    $password = ($password);                                                
   setcookie("micmacs_login","$username $password"); 
$msg = "<meta http-equiv="Refresh" content="0;url=./soumettre.php">"; 
  &#125;else&#123; 
     header("Location: authentification.php"); 
  &#125; 
&#125; 
if ($msg) echo $msg; 
?>
When I add the following script as an include to restrict access to the next page, the cookie in the first script doesn't seem to be set.

Code: Select all

<? 
if(!$_COOKIE&#1111;'micmacs_login']) 
  header("Location: authentification.php"); 
$known=$micmacs_login; 
if($known) &#123;      
  mysql_connect("localhost","root","") or die ("Whoops");  
  $user = explode("","$known");  

  $sql = "select * from utilisateurs where username='$user&#1111;0]'";  
  $r = mysql_db_query("micmacs",$sql);  

  if(!mysql_num_rows($r)) &#123;    
    header("Location: authentification.php");    
  &#125; 

  $chkusr = mysql_fetch_array($r); 
  if(($user&#1111;1]) != $chkusr&#1111;1]) 
    header("Location: authentification.php");        
&#125;                                                      
?>
I've been working on this all day and can't figure out how to fix the problem.

Posted: Thu Aug 14, 2003 4:54 pm
by nigma
I couldn't understand what your motivation for doing some of the stuff I saw in the scripts was. But I also use cookie based authentication on my website and something like this would work:

Script #1 - validate.php - To check if username and password are valid

Code: Select all

<?php
define(HOST, "hostname");  // Define the mySQL server address
define(USER, "username");  // Define the mySQL username
define(PASS, "password");   // Define the mySQL password
define(DBNAME, "dbname");// Define the mySQL database name
define(TABLE, "table");        // Define the mySQL table containing user information 

$user = $_POST&#1111;'username']; /* If you are using the GET method replace POST with GET */
$pass = $_POST&#1111;'password']; /* If you are using the GET method replace POST with GET */

if (!(empty($user) || empty($pass)))
&#123;
  mysql_connect(HOST, USER, PASS);
  mysql_select_db(DBNAME);
  $result = mysql_query("select username, password from " . TABLE . " where username='$user' AND password='$pass'");
  if (mysql_num_rows($result) >= 1)
  &#123;
    setcookie("micmacs_login","$username $password");
    print 'You logged in!';
  &#125;
  else
  &#123;
    print 'Invalid authentication information entered.';
    die();
  &#125; 
&#125;
else
&#123;
  print 'Please go back and complete the login form.';
&#125;
?>
In my opinion I think it is a good idea to define the mySQL information at the top so that if you ever need to give this script to someone else they can just change all those values without having to scan the code for their entries.

Script #2 - checkUser.php - Script to include at the top of files you want to be protected

Code: Select all

<?php
  if (!$COOKIE&#1111;'micmacs_login'])
  &#123;
     print 'You have not logged in.';
     die();
  &#125;
  else &#123; &#125;
?>
Reply if you have any questions.

Posted: Thu Aug 14, 2003 10:23 pm
by nigma
test

Posted: Fri Aug 15, 2003 10:45 am
by stuck
Thank you.
I replaced the scripts with yours and it worked with the print commands. Then I replaced the print commands with:
header("Location: backtoform.php"); //When user not logged in.

or

$msg = "<meta http-equiv=\"Refresh\" content=\"0;url=./protectedpage.php\">";
and
if ($msg) echo $msg; // If user logged in

At this point. I get to the secured page but like I don't have the cookie installed. It prints: You have not logged in.

I tried so many things I'm starting to think there's something wrong with my browsers.

Thanks for any hint you may give me. It's greatly appreciated.
Marc.

Posted: Fri Aug 15, 2003 11:16 am
by nigma
Is the protected page in the same directory as your validate.php and checkUser.php files?

Posted: Fri Aug 15, 2003 11:49 am
by stuck
The protected page and validate.php are in the same directory. Checkuser.php has been renamed checkuser.inc and is an includes directory.
I insert checkuser.inc as in inclusion in the page to protect so it's virtually in the same directory I guess.
It seems checkuser doesn't retrieve the cookie or validate doesn't set it.
I'll test a few more things. Tell me if you have any idea.
Regards.

Posted: Fri Aug 15, 2003 12:04 pm
by stuck
I tried access the page. I went through the form, through validate.php and then reached the protected page. Then, checkuser.php sent the not logged in message.
I went to the cookie folder on my PC. The cookie which had to be set through validate.php hadn't been created.

Posted: Fri Aug 15, 2003 7:35 pm
by nigma
Okay, I know what is wrong, we set the cookie wrong, here is one of the proper ways to set a cookie.

Code: Select all

$cook_life = time() + 8400;
setcookie("cookiename", "cookiedata", $cook_life, "/", "", 0);
I will put a link at the bottom to the page where I learned how to set cookies correct and the page also explains what all the arguments to setcookie() do.

http://www.onlamp.com/pub/a/php/excerpt/webdbapps_8/
Go there and scroll down to "Example 8-1: Setting a cookie using PHP"

Tell me if it works out?