Page 1 of 3

[RESOLVED] Setting cookies

Posted: Sun Aug 06, 2006 6:21 pm
by LuiePL
I've been trying to figure out how to use cookies, but nothing out there tells me the setup for putting everything in order in the code. This is what I have so far, but it doesn't work

Code: Select all

<?php
if ($_SERVER['REQUEST_METHOD'] == "POST") //If it was posted to set the cookie
	{
		$check = $_POST['set']; //The 'set' is if the user wants to be remembered
		if($check=='ON')
			{
				$name = $_POST['name'];
				$pass = md5($_POST['pass']);
				$cookie_data = $name.'-'.$pass;
				setcookie("user", $cookie_data); //No expiration
			}
		else
			{
				$name = $_POST['name'];
				$pass = md5($_POST['pass']);
				$cookie_data = $name.'-'.$pass;
				setcookie ("user", $cookie_data, time() + 3600); //Expire after 1 hour
			}
	}
echo "<HTML>";
echo "<HEAD>";
echo "<link rel='stylesheet' type='text/css' href='Style.css'>";
echo "<TITLE>Members Only</TITLE>";
require "header.php"; //Page with all the html code for the head and some body
require "body.php"; //Page with all the html code for the body up until:

----- All my login code (Enter name & password, authenticate etc) -----

require "footer.php"; //The rest of the HTML code
?>

Posted: Sun Aug 06, 2006 6:41 pm
by RobertGonzalez
I would seriously reconsider sending the password hash via cookie.

Code: Select all

<?php
if ($_SERVER['REQUEST_METHOD'] == "POST") //If it was posted to set the cookie
{
    $check = $_POST['set']; //The 'set' is if the user wants to be remembered
    $name = $_POST['name'];
    $pass = md5($_POST['pass']);
    $cookie_data = $name.'-'.$pass;
    $expiry = 0;

    if ( !$check )
    {
        $expiry = time() + 3600; //Expire after 1 hour
    }

    setcookie ("user", $cookie_data, $expiry);
} 
?>

Posted: Sun Aug 06, 2006 6:42 pm
by Ambush Commander
Put error_reporting(E_ALL) on the top of your script and tell us if any error messages pop up.

Also, consider Everah's suggestion, you may not have asked for help on security, but while you're here, we might as well.

Posted: Sun Aug 06, 2006 6:54 pm
by LuiePL
I threw that in and I tried to have it display what the cookie was, and right before it this popped up:

"Notice: Undefined index: user in /index.php on line 96"

Line 96:

Code: Select all

echo "<BR>Cookie: ".$_COOKIE['user'];
'user' is supposed to be the name of the cookie

I don't plan on keeping the password there forever, but this project isn't security conscious right now. I won't go live with this until all bugs are worked out, and I switch the password over. I plan on eventually changing it to some sort of SID and hashing that. But if it isn't setting the cookie to begin with there really isnt much of a risk.

Posted: Sun Aug 06, 2006 7:00 pm
by Ambush Commander
Hmm... that makes sense, I suppose (all it means is that the cookie doesn't exist). You should put an isset() check there, but...

Let's make sure the actual code is getting executed: put "echo 'Cookie set!'" right after all your setcookie calls and the post the login information again.

Also, after looking at your code again, having no expiration value does not mean no expiration: it means that the cookie will only last for the session (and disappear when the browser closes.) Just set it to a big number.

Posted: Sun Aug 06, 2006 7:08 pm
by LuiePL
OK, this is at the top now:

Code: Select all

if ($_SERVER['REQUEST_METHOD'] == "POST") {
		$check = $_POST['set'];
		if($check=='ON')
			{
				$name = $_POST['name'];
				$pass = md5($_POST['pass']);
				$cookie_data = $name.'-'.$pass;
				setcookie("user", $cookie_data, time() + 24*365*3600); //Have it expire after 1 year
				echo "Cookie Set!";
			}
		else
			{
				$name = $_POST['name'];
				$pass = md5($_POST['pass']);
				$cookie_data = $name.'-'.$pass;
				setcookie ("user", $cookie_data, time() + 3600);
				echo "Cookie Set!";
			}
	}
In the body:

Code: Select all

if (isset($_COOKIE['user']))
	{
		echo "<BR>Cookie: ".$_COOKIE['user'];
	}
else
	{
		echo "<BR>Cookie Not Set";
	}
Now it's saying "Cookie Set!" at the top, but when it gets down to the bottom, it says "Cookie not set". Do I need to set the cookie outside of the If statements at the top?

Posted: Sun Aug 06, 2006 7:10 pm
by Ambush Commander
Do a soft reload (select the Address bar and then press enter). Now is the cookie set?

Posted: Sun Aug 06, 2006 7:16 pm
by RobertGonzalez
Yeah, I'm not sure you can set a cookie and retrieve it in the same trip to the server. I could be wrong though.

PS, you may want to compare the code you posted and the code I posted in response to it above. Yours has a bit of redundancy that could be cleaned up a bit.

Posted: Sun Aug 06, 2006 7:19 pm
by LuiePL
No, still not set. I have it set to check how the page was loaded with "$_SERVER['REQUEST_METHOD']" if it's "GET" then I have some code to see if the cookie is loaded. If it is it's supposed to skip down to the "logged in" portion of the code. If not it has the Username/Password stuff to login. When you login, the authenticate code works, and it shows the login stuff properly, but doesnt set the cookie. I hope that makes sense.

Code: Select all

if ($_SERVER['REQUEST_METHOD'] == 'GET') //Normal page load
	{
		echo $_SERVER['REQUEST_METHOD'];
		//Check if cookie is set
		if (!isset($_COOKIE['user'])) //See if there's a cookie already set
			{
				echo "<BR>Cookie Not Set";
				//No cookie, it asks for your login information
			}
		else
			{
				echo "<BR>Cookie: ".$_COOKIE['user'];
				//Cookie, it displays members options, "logged in" part
				//Can't get to this point from noraml loading
			}
	}
else
	{
		//POST method runs the name and password and authenticates the user
	}

Posted: Sun Aug 06, 2006 7:23 pm
by RobertGonzalez
Before the part of the code where you check $_SERVER['REQUEST_METHOD'], echo it...

Code: Select all

<?php
echo '<h1>Request Method is ' . $_SERVER['REQUEST_METHOD'] . '</h1>';
?>
What does it tell you?

Posted: Sun Aug 06, 2006 7:24 pm
by Ambush Commander
No, the code setcookie() is being called because he was getting "Cookie set".

Hmm... is your system clock correct?

Posted: Sun Aug 06, 2006 7:28 pm
by LuiePL
Everah wrote:Before the part of the code where you check $_SERVER['REQUEST_METHOD'], echo it...

Code: Select all

<?php
echo '<h1>Request Method is ' . $_SERVER['REQUEST_METHOD'] . '</h1>';
?>
What does it tell you?
Right above "Cookie set/not set" I have

Code: Select all

echo $_SERVER['REQUEST_METHOD'];
And it tells me the right thing (POST/GET) depending on how I load the page.

I just synced my clock with time.ms.com, and still no luck.

Posted: Sun Aug 06, 2006 7:29 pm
by RobertGonzalez
Good call AC. Maybe replace

Code: Select all

echo "Cookie Set!";
with

Code: Select all

echo 'Cookie "User" Set with an expiry time of ' . date("m/d/Y g:i:s A", time() + 3600);

Posted: Sun Aug 06, 2006 7:40 pm
by LuiePL
Everah wrote:

Code: Select all

echo 'Cookie "User" Set with an expiry time of ' . date("m/d/Y g:i:s A", time() + 3600);
I switched some stuff around to this:

Code: Select all

$expiry = 3600; //Expire in 1 hour
	
		if ( $check ) //if the check box is selected
		{
			$expiry = time() + 24*365*3600; //Expire after 1 year
		}
	
		setcookie ("user", $cookie_data, $expiry);
		echo "Cookie Set. Expires: " . date("m/d/Y g:i:s A", $expiry);
		echo "<BR>Time now: " . date("m/d/Y g:i:s A", time());
Now it shows:

Cookie Set. Expires: 08/06/2007 8:37:54 PM
Time now: 08/06/2006 8:37:54 PM

But I noticed when I don't select the "Remeber Me" box I get:

Notice: Undefined index: set in /index.php on line 5

Warning: Cannot modify header information - headers already sent by (output started at /index.php:5) in /index.php on line 16
Cookie Set. Expires: 12/31/1969 8:00:00 PM
Time now: 08/06/2006 8:38:50 PM

And in the body I get:

Notice: Undefined index: set in /index.php on line 123

Lines 5, and 123 are both:

Code: Select all

$check = $_POST['set'];

Posted: Sun Aug 06, 2006 7:42 pm
by RobertGonzalez
That means that the post var 'set' is not set to anything. Try this ...

Code: Select all

$check = ( isset($_POST['set']) ) ? $_POST['set'] : '';