Jump to content

Recommended Posts

Hello.

 

I am cobbling together a new site that requires user id and password for access using cookies.

 

I have also included a simple visitor log that records user id, ip address, page visited and time of visit.

 

I have included a cookie/password check in the first line of each page - so a visitor should not be able to view a page without having logged in.

 

The problem is I keep getting the occasional visitor log where the ip address, page and time are recorded - but the user id is not recorded.

 

I have tried to visit the pages in question without logging in - and I can't view the page. It sends me back to the login page as it is designed to do.

 

This isn't a website that requires payment or where any great secrets are held - so there isn't really any reason to be hacking it. However, I am wondering if it is something silly I have done or could it be someone being clever?

 

Any ideas?

Hi Neil. Thanks for the reply.

 

sessions v cookies - why is that? I was reading up on that topic and it seemed to suggest that sessions should be used to store data for a single visit, whereas cookies were suitable for situations where data is to be stored for multiple visits. That is why I thought I would use cookies to store user id and p/w - so that the visitor didn't have to log in again if they navigated away and then came back to the site.

 

I will post my code if the problem persists. I fear it may be something embarrassing.

 

Thanks again.

Use a cookie to store a piece of data that would keep a user logged in for a period of time i.e. 3 days. Do not store usernames / passwords in cookies!

 

If there is a login to your website set session values after successful login.

i.e.

session_start()
// login was successful
$_SESSION['userId'] = "123";

Then on pages where you must be logged in

session_start()
if(!is_numeric($_SESSION['userId'])) {
// redirect to login
header("Location:login.php");
exit();
}

 

You can set a value in a cookie to identify the user and log them in on a return visit. Cookies are just text files on the users computer. If you store a password in a cookie then anybody using that computer could read it.

To answer why you would use sessions to store user data over a cookie is that session files are stored on the server. Thus you have to authenticate to that sessionid in order to retrieve that data. With Cookies anyone can potentially steal the cookie with a trojan or spyware and use that to authenticate to the site and viola they have all your information.

 

So it is generally better to store the data on the server, where it is less likely to be hacked etc. But as neil suggested, cookies should be used to provide a means of authenticating a user and then you can store the user data in session for that session.

  • 3 months later...

OK. Sorry it has been a while, but I have only just got around to sorting out the use of sessions versus cookies as suggested above. However, my original problem remains. i.e. I keep getting "anonymous" logged visits.

 

If someone wants to enter the members area they must first log in. The credentials (email and password) are verified against the database and then the session is started using the code below.

// if login is ok then we start session
session_start();
session_register("username");
session_register("pw");
$_SESSION['username'] = $email;
$_SESSION['pw'] = $pass;
$sessionid = session_id();
setcookie("kranji4", $sessionid, 0);
//then redirect them to the members area
header("Location: member.php");

 

Then, I have this script at the top of each members page to verify the login

<?php
//place this script at the top of each "members only" page
session_start();
//checks cookies to make sure they are logged in
if(isset($_COOKIE['kranji4']))
{
$email = $_SESSION['username'];
$password = $_SESSION['pw'];
$check = mysql_query("SELECT * FROM members WHERE email = '$email'")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());

while($info = mysql_fetch_array( $check ))
{
//if the cookie has the wrong password, they are taken to the login page
if ($password != $info['password'])
{ 
header("Location: index.php");
}
}
}
//if the cookie does not exist, they are taken to the login screen
else
{
header("Location: index.php");
}
?>

 

And this is the code to log the visit

 

//enter visit into log
$domain = mysql_real_escape_string(htmlentities($_SERVER['SERVER_NAME']));
$ip = $_SERVER["REMOTE_ADDR"];
$page = "Preview - $date";
$email = $_SESSION['username'];
//add details to log
$query = "
insert into
log
(email, domain, page, ip)
values
('$email', '$domain', '$page', '$ip')
";
$result = mysql_query($query) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());

 

As I was saying, the domain, page and ip details are always recorded without fail. However, the email is not always recorded.

 

Why is this?

 

thanks for your help.

 

The example code that neil.johnson posted above very specifically had an exit(); statement after the header() redirect. The code you just posted does not.

 

When you don't have an exit(); statement, the remainder of the code on the "protected" page is still executed, so a hacker or a search engine spider would only need to ignore the redirect and he would still have access to your "protected" pages.

PFMaBiSmAd,

Like this...?

//place this script at the top of each "members only" page
session_start();
//checks cookies to make sure they are logged in
if(isset($_COOKIE['kranji4']))
{
$email = $_SESSION['username'];
$password = $_SESSION['pw'];
$check = mysql_query("SELECT * FROM members WHERE email = '$email'")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());

while($info = mysql_fetch_array( $check ))
{
//if the cookie has the wrong password, they are taken to the login page
if ($password != $info['password'])
{ 
header("Location: index.php");
exit();
}
}
}
//if the cookie does not exist, they are taken to the login screen
else
{
header("Location: index.php");
exit();
}

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.