chrispos Posted February 13, 2011 Share Posted February 13, 2011 Hi All, I have a simple question. I have built log in control panels and have always used session id to follow through getting the username and password from the database and then checking each page that the user and password match using session using the sessio id held in a temp database. I have been informed that this is not as secure as I once thought. I am looking at using cookies and have found the code for how to set up and delete a cookie. The simple question is this how to you pass the cookie to another page once you are loged in and retain it until you have loged out. If the user clicks on a button once loged in to a page where they need to insert new details or update some information and then return to the main control panel. Any help would be great and if not have a great day even if it is raining as it is in England Link to comment https://forums.phpfreaks.com/topic/227515-how-to-send-cookies/ Share on other sites More sharing options...
lastkarrde Posted February 13, 2011 Share Posted February 13, 2011 Can you share your code? Cookies can be modified by the user whereas sessions cannot. Sessions are almost always more secure than cookies (depending on what your doing of course). Link to comment https://forums.phpfreaks.com/topic/227515-how-to-send-cookies/#findComment-1173523 Share on other sites More sharing options...
chrispos Posted February 13, 2011 Author Share Posted February 13, 2011 Hi no problem I will put the code up later with the capatcha. It works but I was looking for the most secure system available. Link to comment https://forums.phpfreaks.com/topic/227515-how-to-send-cookies/#findComment-1173537 Share on other sites More sharing options...
chrispos Posted February 13, 2011 Author Share Posted February 13, 2011 Hi you asked for the code so here it is. The first is the login.php page with capatcha. You store the capatcha info in the database. In this case it is 10 different images with numbers and letters but called 1.jpg etc. <?php $pictures = array ('1','2','3','4','5','6','7','8','9'); shuffle($pictures); for ( $i = 0; $i < 1; $i++ ) { $image = "<img src='$pictures[$i].jpg'>"; $pic = "$pictures[$i]"; } ?> The next is 2 standard form boxes username and password then put this. <?php echo "$image<br>"; ?> next add this <input name="capatcha1" type="text" id="capatcha1" size="10" /> <input name="capatcha" type="hidden" id="capatcha" value="<?php echo$pic;?>" /> This is the login page. Next is the login1.php page and this checks for username and password and checks to see if the capatcha is correct session_start(); $session = session_id(); $capatcha = $_POST['capatcha']; $capatcha1 = $_POST['capatcha1']; $username = $_POST['username']; $password = $_POST['password']; include 'config.php'; $query = "SELECT * FROM `code`Where `code` = '$capatcha1'"; $result = mysql_query($query) or die (mysql_error()); if (mysql_num_rows($result)>0){ while($row = mysql_fetch_row($result)){ $capid = $row[0]; $code = $row[1]; } } $query = "SELECT * FROM `admin` WHERE `username` = '$username' AND `password` = '$password'"; $result = mysql_query($query) or die (mysql_error()); if (mysql_num_rows($result)>0){ while ($row = mysql_fetch_row($result)) { $sid=$row[0]; $username1=$row[1]; $password1=$row[2]; } } The table called code has the capatcha info ie id image id this is the .jpg name ie 1.jpg 2.jpg etc. The tarcking insert takes the session id with the username and password and puts it into a table called tracking. This will be used on the edit insert pages etc. if ($code == $capatcha1 && $username == $username1 && $password == $password1) { include 'config.php'; $query = "INSERT INTO `tracking`(`sid`,`username`,`password`,`date`) VALUES ('$session','$username','$password',NOW())"; $result = mysql_query($query) or die (mysql_error()); include("./control.php"); } elseif($code != $capatcha1) { echo'<a href="login.php">The sum you entered was wrong click here to return to your login page</a>'; } else { echo'<a href="login.php">The username and passwords did not match click here to return to your login page</a>'; } control is a page that has links to say edit a section or insert a new bit of info etc. each one has a link with the id as follows. echo'<a href="insert-excursion.php?id=' . "$session" . '">Click here to insert a new excursion theatre trip</a>'; At the top of each next page put this session_start(); $session = session_id(); $id = $_GET['id']; include 'config.php'; $query = "SELECT * FROM `tracking` WHERE `sid` = '$id'"; $result = mysql_query($query) or die (mysql_error()); if (mysql_num_rows($result)>0){ while ($row = mysql_fetch_row($result)) { $trid=$row[0]; $sid=$row[1]; $username=$row[2]; $password=$row[3]; $tdate=$row[4]; } } $query = "SELECT * FROM `admin` WHERE `username` = '$username'AND `password` = '$password'"; $result = mysql_query($query) or die (mysql_error()); if (mysql_num_rows($result)>0){ while ($row = mysql_fetch_row($result)) { $aid=$row[0]; $user=$row[1]; $pass=$row[2]; } } You can then run the code to see if they are real or not put it in div or tables as you require if ($username == $user && $password == $pass) { include("./control.php"); } else { echo'<a href="login.php">Your id is not matched in the database click here to return to your login page</a>'; } ?></td> <td width="580" class="Text"><?php if ($username == $user && $password == $pass) { include("./edit-breaks.php"); } else { echo'<a href="login.php">Your id is not matched in the database click here to return to your login page</a>'; } The edit page has the edit details and control is the links page as shown above. If you need to do a form for the edit page put a hidden field in this with id = $session That is it to be honest you are checking username password capatcha and sess id and if they do not match they can not have access to each page. Link to comment https://forums.phpfreaks.com/topic/227515-how-to-send-cookies/#findComment-1173558 Share on other sites More sharing options...
lastkarrde Posted February 13, 2011 Share Posted February 13, 2011 The simple question is this how to you pass the cookie to another page once you are loged in and retain it until you have loged out If your wanting to implement that because of security concerns, don't. Storing the information in a session is much more secure (as the user cannot edit it). The majority of auth systems work by storing the user id in a session. Your login page should check the username, password and captcha (which it does, I think). If that information matches a user in the database, then set a session of their user id. if(//captcha, username, password are all valid) { $_SESSION['user_id'] = //user id taken from database } $id = $_SESSION['user_id']; $q = mysql_query("SELECT * FROM admin WHERE user_id = '$user_id'"); //limit 1 etc.. //mysql_fetch_array on $q, you then have the current users' information Link to comment https://forums.phpfreaks.com/topic/227515-how-to-send-cookies/#findComment-1173765 Share on other sites More sharing options...
lastkarrde Posted February 13, 2011 Share Posted February 13, 2011 Also, your code is not secure. It is vulnerable to SQL injections. Every time you assign a variable to the value of the $_POST array, wrap the post value in mysql_real_escape_string(). eg $capatcha = $_POST['capatcha']; to $captcha = mysql_real_escape_string($_POST['capatcha']); Link to comment https://forums.phpfreaks.com/topic/227515-how-to-send-cookies/#findComment-1173766 Share on other sites More sharing options...
chrispos Posted February 13, 2011 Author Share Posted February 13, 2011 Thanks for your help I have just been working on the escape strings tonight so i will be implementing them into the system Link to comment https://forums.phpfreaks.com/topic/227515-how-to-send-cookies/#findComment-1173794 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.