Jump to content

How to send Cookies


chrispos

Recommended Posts

Hi All,

 

I have a simple question. I have built log in control panels and have always used session id to follow through getting the username and password from the database and then checking each page that the user and password match using session using the sessio id held in a temp database. I have been informed that this is not as secure as I once thought. I am looking at using cookies and have found the code for how to set up and delete a cookie.

 

The simple question is this how to you pass the cookie to another page once you are loged in and retain it until you have loged out. If the user clicks on a button once loged in to a page where they need to insert new details or update some information and then return to the main control panel.

 

Any help would be great and if not have a great day even if it is raining as it is in England

Link to comment
Share on other sites

Hi you asked for the code so here it is. The first is the login.php page with capatcha. You store the capatcha info in the database. In this case it is 10 different images with numbers and letters but called 1.jpg etc.

<?php
$pictures = array ('1','2','3','4','5','6','7','8','9');
shuffle($pictures);
for ( $i = 0; $i < 1; $i++ )
{
$image = "<img src='$pictures[$i].jpg'>";
$pic = "$pictures[$i]";
}
?>

The next is 2 standard form boxes username and password then put this.

 

<?php
  echo "$image<br>";
  ?>

next add this

<input name="capatcha1" type="text" id="capatcha1" size="10" />
            <input name="capatcha" type="hidden" id="capatcha" value="<?php echo$pic;?>" />

 

This is the login page.

 

Next is the login1.php page and this checks for username and password and checks to see if the capatcha is correct

 

session_start();
$session = session_id();
$capatcha = $_POST['capatcha'];
$capatcha1 = $_POST['capatcha1'];
$username = $_POST['username'];
$password = $_POST['password'];

include 'config.php';

$query = "SELECT * FROM `code`Where `code` = '$capatcha1'";
$result = mysql_query($query) or die (mysql_error());
if (mysql_num_rows($result)>0){
while($row = mysql_fetch_row($result)){
$capid = $row[0];
$code = $row[1];
}
}

$query = "SELECT * FROM `admin` WHERE `username` = '$username' AND `password` = '$password'";
$result = mysql_query($query) or die (mysql_error());
if (mysql_num_rows($result)>0){ 
while ($row = mysql_fetch_row($result)) {
$sid=$row[0];
$username1=$row[1];
$password1=$row[2];
}
}

 

The table called code has the capatcha info ie id image id this is the .jpg name ie 1.jpg 2.jpg etc. The tarcking insert takes the session id with the username and password and puts it into a table called tracking. This will be used on the edit insert pages etc.

 

if ($code == $capatcha1 && $username == $username1 && $password == $password1)
	{
	include 'config.php';
$query = "INSERT INTO `tracking`(`sid`,`username`,`password`,`date`) VALUES ('$session','$username','$password',NOW())";
$result = mysql_query($query) or die (mysql_error());
	include("./control.php");
	}
	elseif($code != $capatcha1)
	{
	echo'<a href="login.php">The sum you entered was wrong click here to return to your login page</a>';
	}
	else
	{
	echo'<a href="login.php">The username and passwords did not match click here to return to your login page</a>';
	}

 

control is a page that has links to say edit a section or insert a new bit of info etc. each one has a link with the id as follows.

 

echo'<a href="insert-excursion.php?id=' . "$session" . '">Click here to insert a new excursion theatre trip</a>';

 

At the top of each next page put this

session_start();
$session = session_id();
$id = $_GET['id'];
include 'config.php';


$query = "SELECT * FROM `tracking` WHERE `sid` = '$id'";
$result = mysql_query($query) or die (mysql_error());
if (mysql_num_rows($result)>0){ 
while ($row = mysql_fetch_row($result)) {
$trid=$row[0];
$sid=$row[1];
$username=$row[2];
$password=$row[3];
$tdate=$row[4];
}
}
$query = "SELECT * FROM `admin` WHERE `username` = '$username'AND `password` = '$password'";
$result = mysql_query($query) or die (mysql_error());
if (mysql_num_rows($result)>0){ 
while ($row = mysql_fetch_row($result)) {
$aid=$row[0];
$user=$row[1];
$pass=$row[2];
}
}

 

You can then run the code to see if they are real or not put it in div or tables as you require

 

 

if ($username == $user && $password == $pass)
	{
	include("./control.php");
	}
	else
	{
	echo'<a href="login.php">Your id is not matched in the database click here to return to your login page</a>';
	}
	?></td>
        <td width="580" class="Text"><?php
	if ($username == $user && $password == $pass)
	{
    include("./edit-breaks.php");
	}
	else
	{
	echo'<a href="login.php">Your id is not matched in the database click here to return to your login page</a>';
	}

 

The edit page has the edit details and control is the links page as shown above. If you need to do a form for the edit page put a hidden field in this with

id = $session

 

That is it to be honest you are checking username password capatcha and sess id and if they do not match they can not have access to each page.

 

 

 

 

 

Link to comment
Share on other sites

The simple question is this how to you pass the cookie to another page once you are loged in and retain it until you have loged out

 

If your wanting to implement that because of security concerns, don't. Storing the information in a session is much more secure (as the user cannot edit it). The majority of auth systems work by storing the user id in a session.

 

Your login page should check the username, password and captcha (which it does, I think). If that information matches a user in the database, then set a session of their user id.

 

if(//captcha, username, password are all valid)
{
  $_SESSION['user_id'] = //user id taken from database
}

 

$id = $_SESSION['user_id'];
$q = mysql_query("SELECT * FROM admin WHERE user_id = '$user_id'"); //limit 1 etc..

//mysql_fetch_array on $q, you then have the current users' information

 

Link to comment
Share on other sites

Also, your code is not secure. It is vulnerable to SQL injections. Every time you assign a variable to the value of the $_POST array, wrap the post value in mysql_real_escape_string().

 

eg

 

$capatcha = $_POST['capatcha'];

 

to

 

$captcha = mysql_real_escape_string($_POST['capatcha']);

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.