Page 1 of 1

php cookie problem

Posted: Thu Oct 16, 2008 8:04 pm
by ThuggLife
I'm trying to deny access to a page based on whether or not the user has a valid authorization cookie, but it doesn't work?

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?php 
    
    if ($_COOKIE["UserLevel"] == 0 ||  $_COOKIE["UserLevel"] == 1) {
        echo '
        <html xmlns="http://www.w3.org/1999/xhtml">
        <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Untitled Document</title>
 
    
        </head>
 
        <body>
        <p>your in</p>
        </body>
        </html>
        ';
    }
    else { echo 'your cookie is messed up'; }
?>
        
 
The problem is that the page will display the content whether or not I have a "UserLever" cookie. Does any one have a suggestion as how I can prevent people from viewing a specific page based on a cookie. Basically My cookie just has a value of 0 for admin, 1 for registered users, and 3 for guests. Any help would be greatly appreciated.

Re: php cookie problem

Posted: Thu Oct 16, 2008 8:14 pm
by Stryks
Any chance you'd rethink using cookies for this and switch to sessions?

Just that ... well ... if I were a user and I happened to check the contents of my cookie, and I saw a setting 'userlevel' = 1. I'd probably be very tempted to change it to see what would happen.

Storing login credentials in cookie is, for the most part, a bad idea.

On the login page:

Code: Select all

session_start();
 
// other stuff
 
$_SESSION['authlevel'] = 1;
On the restricted page:

Code: Select all

session_start();
 
if($_SESSION['authlevel'] < 1) {
   // do a header redirect elsewhere
}


Food for thought anyhow.

Cheers

Re: php cookie problem

Posted: Thu Oct 16, 2008 8:40 pm
by ThuggLife
Thanks for the quick reply. You just answered my second question as well, which was going to be a question about preventing javaScript injection and cookie tampering. I'll adjust the code now and post an update.

Thanks again!

UPDATE:

ok, I think it worked, but im not 100% sure. When does the session variable get erased? Im testing this site localy using apache. I open my web-browser and type 'localhost' into the url. If go directly to my login.php page and try to type in the url of the page (/localhost/testPages/loggedIn.php) it doesnt let me in; yay!... However, after I logged in the first time I closed my browser, opened it again, and went back to the 'localhost' directory and typed the url of the page that shouldnt be accessible unless your logged in, but it let me in?? Is this normal?

I hope this explanation is understandable, im kind-of a new with this stuff. Basicly it works when im in the login.php page and try to type the url of the forbidden page. However, im worried because it will let me in when im in the root of my 'localhost' directory and type the url of the forbidden site. Why is this? does it matter or am I secure?