Page 1 of 1

Error with cookie

Posted: Wed Apr 19, 2006 1:24 am
by tristanlee85
There seems to be an issue with my cookie when a user has closed out of a browser windows instead of logging out before hand. Basically, here is my login script to set the cookie:

Code: Select all

<?php
// expire cookie
setcookie ("loggedin", "", time() - 3600);

include("include.php"); 

// connect to the mysql server
$link = mysql_connect($server, $username, $password)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

switch($_GET['action'])
{
   case "newpass":
   $user = $_POST['user'];
   setcookie("loggedin", "TRUE", time()+(3600 * 24));
   setcookie("fedex_username", "$user");
   
   include("cookie.php");
   $pass = $_POST['password'];//get password from form
   $pass2 = $_POST['password2'];//get password2 from form
   
   //USER AND PASSWORD LENGTH CHECK
   $min_length = 6; //this value is the minimal length that we desire our passwords 
   //to be if the username or the password is shorter than 6 chars the user is sent 
   //to a previously prepared custom error page
echo "<div align=\"center\">";
if(strlen($pass) < $min_length)
{
    echo "Sorry, but your password is less than $min_length characters.<br>";
    echo "<a href=\"javascript: history.go(-1);\">Try again</a>";
    die();
}
   if (($pass)!=($pass2)) //if the values stored in the 2 variables are 
//different we redirect the users to a previously created error page
{
    echo "Sorry, but your passwords do not match.<br>";
    echo "<a href=\"javascript: history.go(-1);\">Try again</a>";
    die();
}
   $query = "UPDATE members SET password = '".md5($_POST['password'])."' WHERE user = '$fedex_username'";
   mysql_query($query);
   echo "<meta http-equiv=\"refresh\" content=\"3;URL=/fedex1/\"><base target=\"_parent\">Thank you for updating your password. You will be redirected to the main page.";
   echo "</div>";
   die();
   break;
}

$pass = md5($_POST['password']);
$temp_pass = md5("fedexeval1");

$match = "select id from members where user = '".$_POST['user']."'
and password = '".md5($_POST['password'])."';"; 

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) { 
echo "<div align=\"center\">";
echo "Sorry, there is no username \"$user\" with the specified password. Please check your information.<br>";
echo "<a href=\"javascript: history.go(-1);\">Try again</a>";
echo "</div>";
exit; 
} else {

//**********************************************************************
//Set the cookie
//**********************************************************************
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("fedex_username", "$user");
if ($pass == $temp_pass)
{
	echo "<div align=\"center\">";
	echo "You are now logged in, <b>$user</b>, but you are required to change your password.<br><form action=\"user_login.php?action=newpass\" method=\"POST\"><table align=\"center\" width=\"30%\"><tr>
<td>Password<br>(6 - 12 characters):</td>
<td><input type=\"hidden\" name=\"user\" value=\"$user\"><input type=\"password\" name=\"password\" size=\"20\"></td>
</tr>
<tr>
<td>Re-enter password:</td>
<td><input type=\"password\" name=\"password2\" size=\"20\"></td>
</tr>
<tr align=\"center\">
<td colspan=\"2\"><input type=\"submit\" value=\"Update\"></td>
</tr></table></form><br>";
echo "</div/>";
}

else
{
echo "<div align=\"center\">";
echo "<meta http-equiv=\"refresh\" content=\"2;URL=javascript:window.open('/fedex1/','_parent');\">Thank you for logging in, $user! Please wait...<br>";
echo "</div>";
}
}
//echo "</div>";
?>
About 3/4 of the way down is where the cookie is set. Now, it works all fine througout the system while the user is still on the website. At the top of the page, it displays "Welcome, tristanlee85. [ logout ]" If I close out of the browser completely, open it, and go back to the site, it then says "Welcome, . [ logout ]"

Here is the script to check whether the user is logged in or not, and if so, display the "Welcome" text.

Code: Select all

<?php
$fedex_username = $HTTP_COOKIE_VARS["fedex_username"];
if (!isset($_COOKIE['loggedin']))
	{
	echo "";
	}
	else
	{
	echo "<td align=\"center\"><font color=\"00cc00\">[</font><a href=\"roster.php\" target=\"main\">Manage Employee Roster</a><font color=\"00cc00\">]</font> | <font color=\"00cc00\">[</font><a href=\"add_eval.php\" target=\"main\">Submit Evaluations</a><font color=\"00cc00\">]</font> | <font color=\"00cc00\">[</font><a href=\"view_eval.php\" target=\"_new\">View Evaluations</a><font color=\"00cc00\">]</font> | <font color=\"00cc00\">[</font><a href=\"tools.php\" target=\"main\">Database Tools</a><font color=\"00cc00\">]</font></td></tr><tr><td colspan=\"2\" align=\"left\">Welcome, $fedex_username. [ <a href=\"logout.php\" target=\"_parent\">logout</a> ]";
	}
?>
And here is my script to expire the cookie (log the user out):

Code: Select all

<?php

// expire cookie
setcookie ("loggedin", "", time() - 3600);
$user = $_POST['user'];

echo "<meta http-equiv=\"refresh\" content=\"2;URL=javascript:window.open('/fedex1/','_parent');\">Logging <b>$user</b> out of the system...";

?>
What do I need to change to fix my issue?

Posted: Wed Apr 19, 2006 1:36 am
by feyd
I would suggest storing all that cookie data in a session. If the user closes the browser, they log out as the session data is destroyed on closing (unless you alter the expiration timestamp.)

Posted: Wed Apr 19, 2006 10:50 am
by tristanlee85
So would I need to remove my cookiecode all together and just use a session ID? I've never done session before, and I searched http://www.hotscripts.com for a few examples but I didn't find anything that would match my probem.

Posted: Thu Apr 20, 2006 12:44 am
by tristanlee85
Anyone? What I'm wanting to do is still use my cookie, but also a session so whenever the browser is closed, the cookie is expired.

Posted: Thu Apr 20, 2006 10:39 am
by feyd
A cookie that dies when the browser is closed is a session (cookie.)

Posted: Thu Apr 20, 2006 11:09 pm
by tristanlee85
Alright...so here is what I have right now.

When a user successfully logs in, this is executed:

Code: Select all

session_start();
$_SESSION['fedex_username'] = $user;
$user is the value of the username that the person used when logging in.

In all of my pages that require a login, I have an

Code: Select all

include'cookie.php';
and that file consists of this:

Code: Select all

session_start();
$fedex_username = $_SESSION['fedex_username'];
Now, it's signing me into my pages, but I get errors like this on every page with the include:

Code: Select all

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /opt/lampp/htdocs/fedex1/main.php:13) in /opt/lampp/htdocs/fedex1/cookie.php on line 3

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /opt/lampp/htdocs/fedex1/main.php:13) in /opt/lampp/htdocs/fedex1/cookie.php on line 3
I don't get it...

Posted: Thu Apr 20, 2006 11:28 pm
by tristanlee85
Well appearantly session start as to be at the very very top. That was my problem. It seems to be working fine. I'm just wondering though, why do I see some website that have "?id=v5n4985v79n757n97n98v54" (<-- example) after them? I don't see mine with that.

Posted: Fri Apr 21, 2006 6:27 am
by timvw
It's explained in http://www.php.net/session