can someone see what i done wrong..?

[DeanWhitehouse]

i have written a remember me feature into my script, but i don't think it is working ( when i log out, it doesn't have my username already in the box) but i don't no, becuase i close the page and re-open it and i'm still logged in but that might be my session not closing?

 

this is my code

{
require_once 'db_connect.php';

if ($_SESSION['is_valid'] == false)
{
	if (isset($_POST['login']))
	{

	$user_name = $_POST["user_name"];        
	$user_password = $_POST["user_password"]; 
	$cookiename = forumcookie;   
	$verify_username = strlen($user_name);
	$verify_pass = strlen($user_password);
		if ($verify_pass > 0 && $verify_username > 0)
		{
		$salt = substr($user_password, 0, 2);
		$userPswd = crypt($user_password, $salt);
		$sql = "SELECT * FROM `$user` WHERE user_name='$user_name' AND user_password='$userPswd' LIMIT 1;";
		$result = mysql_query($sql);
			if (mysql_num_rows($result) == 1)
			{
			$row = mysql_fetch_assoc($result);
			$user_level = $row['userlevel'];
				if ($user_level == 1) 
				{
				$login_check = @mysql_fetch_array(mysql_query("SELECT * from `$user` WHERE user_name = '$_GET[u]' AND user_password = 	'$_GET[p]'"));

				$userright = array($login_check['user_name'], $login_check['userlevel']);
				$s_userpass = serialize($userpass);
				$_SESSION['username'] = $row['user_name'];
				$_SESSION['user_password'] = $row['user_password'];
				$_SESSION['user_level'] = $row['userlevel'];
				$_SESSION['user_id'] = $row['user_id'];
				header("Location:http://".$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI]);
				$_SESSION['is_valid'] = true;
					 if(isset($_POST['remember']))
					 {
    					  setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    					  setcookie("cookpass", $_SESSION['user_password'], time()+60*60*24*100, "/");
   			}
			} 
		elseif ($user_level == 2){    
			$login_check = @mysql_fetch_array(mysql_query("SELECT * from `$user` WHERE user_name = '$_GET[u]' AND user_password = '$_GET[p]'"));

			$userright = array($login_check['user_name'], $login_check['userlevel']);
		$s_userpass = serialize($userpass);
	$_SESSION['username'] = $row['user_name'];
	$_SESSION['user_password'] = $row['user_password'];
	$_SESSION['user_level'] = $row['userlevel'];
	$_SESSION['user_id'] = $row['user_id'];
	header("Location:http://".$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI]);
	$_SESSION['is_valid'] = true; //change the session variable name to what you want, just remember it for all files
	 if(isset($_POST['remember'])){
    	  setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    	  setcookie("cookpass", $_SESSION['user_password'], time()+60*60*24*100, "/");
   		}
	}
}
else{
	echo "Login failed. Username and Password did not match database entries.";    
}
}

else
{
echo "Form was not completed. Please go back and make sure that the form was fully completed.";    
}
}
$server = str_replace("?logout=true","",$_SERVER['PHP_SELF']);
?> 

<html>
<table bgcolor='#999999' align='right'><form action="<?php echo $server ?>" method='POST'>
<tr><td>Username: </td><td><input type='text' name='user_name' /><br /></td></tr>
<tr><td>Password:</td><td> <input type='password' name='user_password' /><br /></td></tr>
<tr><td><input type="hidden" name="login" value="true"><input type="submit" value="Submit"></td></tr>
<tr><td><input type="checkbox" value="1" name="remember"> Remember Me </td></tr><tr><td><a href="register.php">[Register]</a></td></tr><tr><td><a href="forgot_password.php">[Forgot Password?]</a></td></tr></table>
</form>
</html>

<?php 
mysql_close();
}
else
{
header("Location:http://".$_SERVER[HTTP_HOST]);
}
}
?>

[craygo]

Name will never go in unless you put a value in this line

 

<tr><td>Username: </td><td><input type='text' name='user_name' /><br /></td></tr>

 

Try something like this(untested)

$username = isset($_COOKIE['cookname']) ? $_COOKIE['cookname'] : "";
<tr><td>Username: </td><td><input type='text' name='user_name' value = "<?php echo $username; ?>" /><br /></td></tr>

 

but if you want to remember someone, then they shouldn't have to login. You would need to store all your session values once logged in into the cookie. Then when they come back you would have to retrieve those values and put them back into your session.

 

Ray

 

 

 

[DeanWhitehouse]

so is how i'm doing it wrong, for the remember me feature??

Can someone show me how to do it correctly

[craygo]

Well not sure what you want to store in the cookie, but I would say maybe username, userid, encrypted password maybe or a value to say they are authenticated. I never really use cookies for login but know basic concept. I am going to call my cookie.. well cookie, you can call it whatever you like.

 

So after user submits their username and password to login

<?php
session_start();
$username = $_POST['username'];
$pw = md5($_POST['password']);  // if storing passwords as md5 hash (recommended)
$sql = "SELECT id, username, password WHERE username = '$username' AND password = '$pw'";
$result = mysql_query($sql) or die(mysql_error());
$found = mysql_num_rows($result);
  if($found != 0){
  $data = mysql_fetch_assoc($result);
  $cookie_data = array("u_id" => $data['id'], "u_name" => $data['username'], "u_pass" => $data['password']);
  $time = time()+60*60*24*30;  // 30 days
  $error = 0;
    foreach($cookie_data as $k => $v){
    $_SESSION[$k] = $v;
    $set = setcookie("cookie[$k]",$v, $time);
      if(!$set){
      $error = 1;
      }
    }
    if($error != 0){
    echo "Could not set cookie Please allow cookies";
    echo "<META HTTP-EQUIV=\"Refresh\" content=\"1;url=index.php?do=page1\">";  // page to send them to if cookies cannot be set
    } else {
    echo "<META HTTP-EQUIV=\"Refresh\" content=\"1;url=index.php?do=page1\">"; // page to go to upon success
    }
  } else {
  echo "Please check username and password";
  }
?>

 

now on the login page

<?php
session_start();
if(isset($_COOKIE["cookie"])){
  foreach($_COOKIE["cookie"] as $key => $val){
  $_SESSION[$key] = $val;
  }
$id = $_SESSION['u_id'];
$username = $_SESSION['u_name'];
$pw = $_SESSION['u_pass']);
$sql = "SELECT id, username, password WHERE username = '$username' AND password = '$pw' AND id = '$id'";
$result = mysql_query($sql) or die(mysql_error());
$found = mysql_num_rows($result);
  if($found != 0){
  header('Location:login.php');
  } else {
  header('Location:index.php');
  }
} else {
header('Location:login.php');  // send to login page
}
?>

 

As i said I have not used this just put something together. Hopefully no mistakes

 

Ray

 

 

 

[haku]

Storing a password (even hashed or encrypted) in a cookie is VERY unsecure. Anyone can some along and copy that password, and use it on another machine.

[DeanWhitehouse]

well i am using sessions for them logged in, but i thought cookies are the only way to have a remember me feature.

[craygo]

That is what I figured.

 

Let me ask you this, site's like this, forums and such, keep you logged in. How do they do it? I notice the cookie for this site holds a sessionID, do they store a cookie with the session id then when you come to this page, the cookie grabs the session which holds your userinfo?? I always thought the session gets destroyed when you leave the site??

 

Ray

 

[haku]

They are, but its still extremely insecure (for your users, not really for you).

 

Someone can just copy the cookie and put it on another machine, and they are then able to log into the site under the original users name.

[DeanWhitehouse]

i thought sessions time out after, a little while, but if you leave my site and then go back on, you are still logged in. Is this because i left the site for only a minute, or because the cookie stayed stored??