Article Dicussion: User identification using cookies in PHP/MySQL

If you have any questions or comments about this article please post them here.

This forum post relates to this article

As far as I can see this is a very good attempt to build up a login script.

I want to suggest adding a "remember me" checkbox to it. I know this would spin security down, but in combination with a md5'ed browser cfg or sth similar that would probably not change until the next visit, it should be secure enough.

I haven't implemented the script due to this missing feature, but as I'm typing I think this would be fairly the same as putting the cookies duration time to about a year - so if the user doesn't logout he will be recognized again.

I'm not that much into php/mysql yet, so: what do you think?

I get this error


which is this


there is also a missing ")" in the original code:


I've found no clue what the ,0 stands for. Should this be
?

I don't know and give up, kind of tired..

any help/suggestions very appreciated.

My guess is that you're right... Try using replace that snippet with:



There's only one argument for that function.

Thankyou, Frankie!

and what do you think about the "Remember Me" thing?

No problem! Glad to help!

What you would need to do for the "Remember Me" is set a cookie that stores the user's login and password. When they logon to the site, the server checks to see if the cookie exists. If it exists, extract the login and password, and verify it against the DB. If it validates, log them in automatically.

If you need more of an explanation, let me know.

You may also want to take a look at this article:

http://www.devarticles.com/art/1/490

I think it's insecure to store the user's name and password in the cookie, isn't it?

I have it now the following way: altered the code so that the cookie is only set, when "Remember Me" is checked (cookies duration is 30 days). If cookie is present and logcode is the same as in DB then the user gets logged in and the logcode gets updated. But this is insecure in the same way.

If no "remember me" is checked when logging in, the login is only valid for the session.

I disabled the logcode-update with each click, because it produces a lot of Cookie-Popups (if you want to be asked) and security has not to be very high - so I could also do the use/pwd cookie, I think.

hmm?

(Thanks for the article link, but it's exactly the one we are talking about?! )

You can store the user's password in an encrypted format (using MD5), this way their password isn't compromised in the cookie.

Sorry, I didn't realize it was that article until after I had posted the link. My fault!

so a relative good solution would be to store userid (instead of name), MD5ed password and logcode of last login, hm?

the logcode would prevent that a stolen cookie can be used, when the real user logged in in the meantime.

btw: there is no secure way of transmitting the password in the POSTed data without SSL or sth similar massive, or?

Unfortunately, the only secure way to trasmit data would be using SSL... But if you encrypt the password, using MD5, you're pretty safe!

i could really need some help here... (new with php/mysql)

i take everything from the start:
i made this form i post.php
<form action="login.php" method="post">
user:<br>
<input name="username" type="text" size=15><br>
pass:<br>
<input name="password" type="text" size=15><br>
<input type="submit" name="submit" value="Login">
</form>

In the file login.php i have connected to the mysql db, and inserted the function func_generate_string() above the original text in login.php. this is right?
setccokie() is like this:
setcookie("cookie", $newval, time() + 300, "/cookie/", "demo.mydomain.com");

I have made a user in my db with user/pass: test/test
when i try to login using post.php, the url changes to login.php, but i get this error:

Parse error: parse error, unexpected T_STRING in /hsphere/local/home/me/demo.mydomain.com/cookie/login.php on line 22

line 22 is like this:
$res= mysql_query("SELECT id FROM my_users WHERE username='$username' AND password='$mdpass'") or die(“Could not select user ID.”);

what's wrong here? this login script seems to be what i have been lokking for, but i really need to get it working

i have tried and tried, but cannot get it working...

i think i give up now... anybody knows any other good guides in how to use cookies with php/mysql?

stighabb,

Can you post the entire login.php script you're using? I have a feeling it's not that line that's causing the problems.

thank you for the answer!

i found out of it it was used wrong " (can't find the one that was used here on my keyboard..... when i replaced these with the correct ones, it worked =)

if i get any more questions I will post them here! thanks for a marvelous script

First of all thanks for a really useful tutorial.

....but.... can someone enlighten me as to the advantage of "combining" this method with sessions?...

"Also, you can combine this method with session-based user id and pass session ID within the cookie too, ensuring cookie cannot be stolen."

Thanks,
Anna

I could use a little help with this article, but I think it may be solved through help with a particular problem. It seems that whenever I include a redirect, e.g. header("Location: loggedin.php"); in my code, cookies are never created. For instance, using this article's code, I write (near the bottom of the page for the first page of code):

// store the cookie
setcookie("cookiename", $newval, time() + 300, ".spa.ward.american.edu");
// redirect to some user welcome area
header("Location: loggedin.php");

I get directed to the page loggedin.php correctly when I put in the correct username and password, but no cookie is created on my browser.

If I replace the redirect with simple text, say:

// store the cookie
setcookie("cookiename", $newval, time() + 300, ".spa.ward.american.edu");
// redirect to some user welcome area
print 'you are logged in';

The cookie is created. Any idea what's going on here? My loggedin.php and detectuser.php files similarly don't seem to work (they allow me in no matter what), but hopefully this is the stem of the problem. I'm attaching all three files for your perusal.

check.php = script which contains above code, does check password correctly but won't create cookie when redirected
loggedin.php = script creating first login page...viewable whether there's a cookie or not present, though it shouldn't be
detectuser.php = script that should be making sure that loggedin.php isn't viewable w/o cookie present

Thanks so much,
Jeremy