Why doesnt this work?

[jamesbrauman]

Back again with troubles involving my login scripts.  :'( These are my functions for logging in/out/checking if a user is logged in.

 

In construct.php:

//Logs a user in.
function user_login($username, $md5password) {
	setcookie("username", $username, strtotime("+90 days"));
	setcookie("md5password", $md5password, strtotime("+90 days"));
}
//Logs a user out.
function user_logout() {
	session_destroy();
	setcookie("username", "", 1);
	setcookie("md5password", "", 1);
}
//Returns true if a user is logged in.
function user_loggedin() {
	$username = $_COOKIE['username'];
	$password = $_COOKIE['md5password'];
	if (empty($username) || empty($password))
		return false;
	$conn = mysql_connect("localhost", "****", "****");
	mysql_select_db("redbox_main", $conn);
	if (mysql_num_rows(mysql_query("SELECT * FROM members WHERE username='$username' AND md5password='$password'")) > 0) {
		//They are logged in.
		return true;
	} else {
		//They are not logged in.
		return false;
	}
}
//Returns the username of the logged in user.
function user_username() {
if (isset($_COOKIE['username']))
	return $_COOKIE['username'];
return "";
}

 

Its strange, this code is working (redirects me if I am logged in)...

<?php include "../construct.php"; 
//if already logged in redirect to homepage.
if (user_loggedin()) {
	header("Location: ../");
	exit();
}
connect_database();
?>

 

However this is not (it is always displaying the form for the condition 'not logged in'):

if (!user_loggedin()) {
echo "<form action=\"".$_SERVER['SCRIPT_NAME']."?".$_SERVER['QUERY_STRING']."#comments\" method=\"post\">";
echo "<table width=\"100%\">";
echo "<tr><td>Name:   <input type=\"text\" name=\"user_comment_name\"";if($captcha_wrong) {echo " value=\"".$_POST['user_comment_name']."\"";} echo "></td></tr><tr><td>Comment:</td></tr><tr><td colspan=\"2\"><textarea name=\"user_comment\">"; if($captcha_wrong) { echo $_POST['user_comment'];} echo "</textarea></td></tr>";
echo "<tr><td"; if ($captcha_wrong) {echo " class=\"red\"";} echo "> Image Verification: <span style=\"font-size: 80%\">Dont want to enter captcha text to comment? <a href=\"../members/registration.php\">Register. It's free.</a></span><BR><img src=\"../library/loadcaptcha.php\"></td></tr>";
echo "<tr><td"; if ($captcha_wrong) {echo " class=\"red\"";} echo ">Enter the letters exactly as you see them above.<BR>";
echo "<input type=\"text\" name=\"captcha\"></td></tr>";
echo "<tr><td colspan=\"2\"><input type=\"submit\" class=\"button\" value=\"Post comment\"></td></tr>";
echo "</table>";
echo "</form>";
}
if (user_loggedin()) {
echo "<form action=\"".$_SERVER['SCRIPT_NAME']."?".$_SERVER['QUERY_STRING']."#comments\" method=\"post\">";
echo "<table width=\"100%\">";
echo "<tr><td>Posting as <span style=\"color: #CC0000\">".user_username()."</span></td></tr><tr><td>Comment:</td></tr><tr><td colspan=\"2\"><textarea name=\"user_comment\"></textarea></td></tr>";
echo "<tr><td colspan=\"2\"><input type=\"submit\" class=\"button\" value=\"Post comment\"></td></tr>";
echo "</table>";
echo "</form>";	
}
echo "</div>";

 

Session_start is called in that last script btw, that is just a snippet.

 

Thanks 

[wildteen88]

Two problems, your code doesn't even appear to use sessions. Cookies have nothing to do with sessions.

The other problem is using cookies for storing the md5 hash of the user's password.

[jamesbrauman]

Two problems, your code doesn't even appear to use sessions. Cookies have nothing to do with sessions.

The other problem is using cookies for storing the md5 hash of the user's password.

 

Sorry this section of code does not use sessions I will edit that out.

 

What was wrong with cookies and md5 hash?

[wildteen88]

cookies are stored as plain text in the browsers cache. Most modern browsers allow users to view all cookies stored in the cache. You should never store personal data within cookies this is what sessions are for (as sessions are stored on the server).