[SOLVED] cookies and using them properly

[DeanWhitehouse]

I don't no if i used cookies properly in this , can someone check please, also can some explain why the bottom bit in the form isn't working, where i have the echo in the form?

<?php
session_start();
/*Random Game Design: PHP Website Template/CMS
Version 1
Copyright Dean Whitehouse, 2008*/
if (isset($_GET['logout']))
{
//setcookie("cookname", $_SESSION['username'], time() - 3600, "/");
//setcookie("cookpass", $_SESSION['user_password'], time() - 3600, "/");
session_unset();
session_destroy();
}
if ($_SESSION['is_valid'] == true)
{
if ($_SESSION['user_level'] == 2)
{
	?>
	<table class='logged_in'><tr><td>
	<p>Welcome, <br><?php echo $_SESSION['id_username']; ?>
	<br><a href='user_profile.php?id=<?php echo $_SESSION['user_id']; ?>'>User Profile</a><br>
	<a href='user_setting.php'>Settings</a><br>
	<a href="<?php print $_SERVER["PHP_SELF"]; ?>?logout=true">Logout</a><br />
	</td></tr><tr><td>Logged In</td></tr></table></p>
	<?php 
}

if ($_SESSION['user_level'] == 1)
{
	?>
	<table class='logged_in'><tr><td>
	<p>Welcome, <?php echo $_SESSION['id_username']; ?>
	<br><a href='user_profile.php?id=<?php echo $_SESSION['user_id']; ?>'>User Profile</a><br>	
	<a href='user_setting.php'>Settings</a><br>
	<a href='admin_centre.php'>Admin Area</a><br>
	<a href="<?php print $_SERVER["PHP_SELF"]; ?>?logout=true">Logout</a><br />
	</td></tr><tr><td>Logged In</td></tr></table></p>
	<?php
}
}

else
{
require_once 'includes/db_connect.php';

if ($_SESSION['is_valid'] == false)
{
	if (isset($_POST['login']))
	{

	$user_name = $_POST["user_name"];        
	$user_password = $_POST["user_password"]; 
	$cookiename = forumcookie;   
	$verify_username = strlen($user_name);
	$verify_pass = strlen($user_password);
		if ($verify_pass > 0 && $verify_username > 0)
		{
		$userPswd = md5($user_password);
		$userpwsd = sha1($userPswd);
		$sql = "SELECT * FROM `$user` WHERE user_name='$user_name' AND user_password='$userpwsd' LIMIT 1;";
		$result = mysql_query($sql) or die(mysql_error(). " in $sql");
			if (mysql_num_rows($result) == 1)
			{
			$row = mysql_fetch_assoc($result);
			$user_level = $row['userlevel'];
				if ($user_level == 1) 
				{
				$login_check = @mysql_fetch_array(mysql_query("SELECT * from `$user` WHERE user_name = '$_GET[u]' AND user_password = '$_GET[p]'"));

				$userright = array($login_check['user_name'], $login_check['userlevel']);
				$s_userpass = serialize($userpass);
				$_SESSION['id_username'] = $row['user_name'];
				$_SESSION['id_user_password'] = $row['user_password'];
				$_SESSION['user_level'] = $row['userlevel'];
				$_SESSION['user_id'] = $row['user_id'];
				header("Location:http://".$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI]);
				$_SESSION['is_valid'] = true;
					 if(isset($_POST['remember']))
					 {
    					  setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    					  setcookie("cookpass", $_SESSION['user_password'], time()+60*60*24*100, "/");
   			}
			} 
		elseif ($user_level == 2){    
			$login_check = @mysql_fetch_array(mysql_query("SELECT * from `$user` WHERE user_name = '$_GET[u]' AND user_password = '$_GET[p]'"));

			$userright = array($login_check['user_name'], $login_check['userlevel']);
		$s_userpass = serialize($userpass);
	$_SESSION['id_username'] = $row['user_name'];
	$_SESSION['id_user_password'] = $row['user_password'];
	$_SESSION['user_level'] = $row['userlevel'];
	$_SESSION['user_id'] = $row['user_id'];
	header("Location:http://".$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI]);
	$_SESSION['is_valid'] = true; //change the session variable name to what you want, just remember it for all files
	 if(isset($_POST['remember'])){
    	  setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    	  setcookie("cookpass", $_SESSION['user_password'], time()+60*60*24*100, "/");
   		}
	}
}
else{
	echo "Login failed. Username and Password did not match database entries.";    
}
}

else
{
echo "Form was not completed. Please go back and make sure that the form was fully completed.";    
}
}
$server = str_replace("?logout=true","",$_SERVER['PHP_SELF']);
?> 
<table bgcolor='#999999' align='right'><form action=" <?php echo $server ?> " method='POST'>
<tr><td>Username: </td><td><input type='text' name='user_name' value="<?php echo $_COOKIE["cookname"]; ?>" /><br /></td></tr>
<tr><td>Password:</td><td> <input type='password' name='user_password' /><br /></td></tr>
<tr><td><input type="hidden" name="login" value="true"><input type="submit" value="Submit"></td></tr>
<tr><td><input type="checkbox" value="1" name="remember"> Remember Me </td></tr><tr><td><a href="register.php">[Register]</a></td></tr><tr><td><a href="forgot_password.php">[Forgot Password?]</a></td></tr></table>
</form>

<?php 
mysql_close();
}
else
{
header("Location:http://".$_SERVER[HTTP_HOST]);
}
}
?>

[Fadion]

setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");

 

The syntax is okay. The fourth parameter "path" isnt needed i guess, even if u have your site in root, or in specific directory, it will work without that but for the second it will be available to the entire domain. Id suggest u clean post (and get) data with htmlentities() and mysql_real_escape_string() before using it in db queries. The other part of the code is too long for me

[DeanWhitehouse]

ok, thanks, the only thing is, that i can't tell if this is working, as i always remain logged in anyway.

[Fadion]

Delete cookies or close the browser window for sessions.

[DeanWhitehouse]

is this part, ok, because it doesn't show, am i doing it right?

<tr><td>Username: </td><td><input type='text' name='user_name' value="<?php echo $_COOKIE["cookname"]; ?>" /><br /></td></tr>
</form>

[Fadion]

Yes u have it alright. Be sure to have the correct cookie name and that the cookie is set.

[DeanWhitehouse]

ok, thanks