problem with cookies and login form

[scarhand]

my code:

 

if (isset($_POST['login']))
{
  $login_username = trim(mysql_real_escape_string($_POST['username']));
  $login_password = md5(trim(mysql_real_escape_string($_POST['password'])));
  
  $sql_login = mysql_query("select * from users where username='$login_username' and password='$login_password'");
  
  if (mysql_num_rows($sql_login) != 0)
  {  
    setcookie('username', $login_username, time() + (365 * 24 * 60 * 60));
    setcookie('password', $login_password, time() + (365 * 24 * 60 * 60));
  }
  else
  {
    $error_login = 'Invalid username and/or password entered.';
  }
}

if (isset($_COOKIE['username']) && isset($_COOKIE['password']))
{
  $cookie_username = mysql_real_escape_string($_COOKIE['username']);
  $cookie_password = mysql_real_escape_string($_COOKIE['password']);

  $sql_cookie = mysql_query("select * from users where username='$cookie_username' and password='$cookie_password'");

  if (mysql_num_rows($sql_cookie) != 0)
  {
    while ($row = mysql_fetch_assoc($sql_cookie))
    {
      foreach ($row as $k => $v)
        ${'user_'.$k} = $v;
    }
  
    $logged_in = true;
  }
}

 

the problem is, after i click the login button, i have to refresh the page in order for the $logged_in variable to be set to true.

 

so its as if the cookies are not being set until the entire script executes.

[RussellReal]

do you do an else if the cookie isn't set.. then after elseif set the cookie.. that wou.d be why I can't exactly say for sure since any output would diminish your accessibility to your users' cookies. set the cookie at the top of the page.. not at the bottom

[scarhand]

Yeah but then they will still have to refresh the page for $logged_in to be = true.

 

By the way, the code above is at the very top of all other code.

[RussellReal]

if its at the very top just set your logged in value to true..  I don't see the problem.. and ANYWAY you shouldn't leave your user on the same page as you posted to.. header("Location: whatever...");.. move them, back to the same page.. for all that matters.. aslong as if they press refresh they don't resend all the post information..

 

AND you should never set a cookie with your user's password in it..

 

also look into sessions, they're better for this cookies should be used for like.. nothing lolz. realistically though cookies really have no use whatsoever except maybe for php to asp communications or something.. but I still see no purpose.

 

^^ take that back actually.. I use a cookie to dynamically store user prefered titles for my users for my site.. but still that could be done with a session

[scarhand]

if its at the very top just set your logged in value to true..  I don't see the problem.. and ANYWAY you shouldn't leave your user on the same page as you posted to.. header("Location: whatever...");.. move them, back to the same page.. for all that matters.. aslong as if they press refresh they don't resend all the post information..

 

AND you should never set a cookie with your user's password in it..

 

also look into sessions, they're better for this cookies should be used for like.. nothing lol. realistically though cookies really have no use whatsoever except maybe for php to asp communications or something.. but I still see no purpose.

 

^^ take that back actually.. I use a cookie to dynamically store user prefered titles for my users for my site.. but still that could be done with a session

 

The password is md5'd.

 

I also use:

 

if ($logged_in)

header("Location: (url)");

 

Just below that cookie code.