Jump to content

Help with PHP Cookie Authentication


PPowerHouseK

Recommended Posts

Hello all,

 

I am extremely new with php, I just started learning it this week. I am tryin to make a secure login page that uses cookies for authentication. The problem I am having is that I cannot seem to get it to detect or read the set cookie properly. I want it to detect if its the correct username in the cookie and if so, allow to see the page, and if now, then return to the login screen.

 

The login screen is login.html, which directs the person to the php script login.php. That should in turn show them a message page and some short info, as well as a link to their control panel (index.php) . The problem is that even if i skip the login I can still reach the control panel (index.php) with or without the cookie.

 

Here is my code (please be gentle this is my first week with php):

 

login.html:

<html>
<head>
<Title>Admin Login</Title>
</head>
<body>
<center>
<br>
<br>
<br>
<br>
<img src="pk.png">
<form action="login.php" method="post">
<br>
Username: <input type="text" name="username" /><br>
Password:  <input type="text" name="password" /><br>
<input type="submit" value="Login" />
</form>
</center>





</body>
</html>

 

login.php:

<?php

// Print a cookie
//echo $_COOKIE["auth"];

// A way to view all cookies
//print_r($_COOKIE);

//global $verified;

$verified=NULL;
global $cookie;
$cookie=$HTTP_COOKIE_VARS['auth'];

if($_COOKIE["auth"] = "Verified_Power" )
{
echo "You have been verified as PowerHouse. <br><br>";
$verified="TRUE";
}
else if($_COOKIE["auth"] = "Verified_Thor")
{
echo "it's actually thor!<br><br>";
$verified="FALSE";
}
else
{
echo "Bad Chookie";
$verified="FALSE";
exit();
}


?>
<html>
<head>

<Title>Login Info</Title>
</head>
<body>
<center>
<img src="pk.png">
<br>
<br>
<br>
Hello <?php echo($username); ?>!<br />


<?php //header("Cache-Control:no-cache");






$msgfile = "messages.txt";
$msgf = fopen( $msgfile, "r");
$msgsize = filesize( $msgfile );
if( $msgsize <= 0)
{
$msg=NULL;
}
else
{
$msg = fread( $msgf, $msgsize);
fclose($msgf);
}



If( $username == "PowerHouse" )
{
If( $password == "test")
	{
	//read logon file
	$powerlogfile="Admin_Checkin/logs/powerlogon.txt";
	$logfile = fopen( $powerlogfile, "r");
	$logfilesize = filesize ( $powerlogfile );
	$logcountpower = fread( $logfile, $logfilesize );
	$logcountpower++;
	fclose($logfile);
	//open file for writing
	$logfile = fopen($powerlogfile, "w");
	fwrite( $logfile, $logcountpower);

	fclose($logfile);
	echo("You are logged in. <br><br>");
	echo("It is you master! <br><br>");
	if( $msg == NULL )
		{
			echo("No New Messages<br><br><br>");
		}
	else
		{
			echo("You have a message: <br>");
			echo "$msg <br><br><br>";
		}

	echo "Click <a href='" . "/Admin_Checkin/14795" . "'>Here</a> To access your control panel.<br><br><br>";  
	echo "You have logged in $logcountpower times.";

	//open logfile to write to 
			$logfile=fopen("Admin_Checkin/logs/powerlog.html", "a");
			//write the time of access
			$time=date("H:i:s: dS F");
			fwrite($logfile, "<b>Time of access:</b> $time<br>");
			//write users ip
			if( $REMOTE_ADDR != NULL )
				{
				fwrite($logfile, "<b>IP Address:</b> $REMOTE_ADDR <br>");
				}
			//write users forwarding url
			if( $HTTP_REFERER != NULL)
				{
				fwrite($logfile, "<b>Referer:</b> $HTTP_REFERER <br>");
				}
			//write users browser info
			fwrite($logfile, "<b>Browser Info:</b> $HTTP_USER_AGENT <hr><br>");

			setcookie("auth","Verified_Power", time()+3600);
			//header("Location:login.php"); exit();

			//setcookie('login', $_REQUEST['username'].','.md5($_REQUEST['username'].$secret_word));




	}
else if( $password != "test" )
	{
	$pwfail++;
	echo("<hr>You have entered the wrong password, PowerHouse. <br>");
	}
}
else if($username == "ThorSummoner")
	{
		If( $password == "test")
		{
			//read logon file
			$thorlogfile="Admin_Checkin/logs/thorlogon.txt";
			$logfile = fopen( $thorlogfile, "r");
			$logfilesize = filesize ( $thorlogfile );
			$logcountthor = fread( $logfile, $logfilesize );
			$logcountthor++;
			fclose($logfile);
			//open file for writing
			$logfile = fopen($thorlogfile, "w");
			fwrite( $logfile, $logcountthor);

			fclose($logfile);
			echo("You are logged in. <br><br>");
			echo("This is the Admin Portal Welcome Screen. <br><br>");
			if( $logcountthor == 1)
				{
					echo "This is your first visit, yay! <br><br>";
				}
			//echo "$msg <br> <br>";

			if( $msg == NULL )
				{
					echo("No New Messages<br><br><br>");

				}
			else
				{
					echo("You have a message: <br>");
					echo "$msg <br><br><br>";
				}

			echo "Click <a href='" . "/Admin_Checkin/atfg4gc" . "'>Here</a> To access your control panel.<br><br><br>";  
			echo "You have logged in $logcountthor times.";

			//open logfile to write to 
			$logfile=fopen("Admin_Checkin/logs/thorlog.html", "a");
			//write the time of access
			$time=date("H:i:s: dS F");
			fwrite($logfile, "<b>Time of access:</b> $time<br>");
			//write users ip
			if( $REMOTE_ADDR != NULL )
				{
				fwrite($logfile, "<b>IP Address:</b> $REMOTE_ADDR <br>");
				}
			//write users forwarding url
			if( $HTTP_REFERER != NULL)
				{
				fwrite($logfile, "<b>Referer:</b> $HTTP_REFERER <br>");
				}
			//write users browser info
			fwrite($logfile, "<b>Browser Info:</b> $HTTP_USER_AGENT <hr><br>");

			setcookie("auth","Verified_Thor", time()+3600);

		}
		else if( $password != "test" )
		{
			$pwfail++;
			echo("You have entered the wrong password, ThorSummoner. <br>");
		}

	}
	else if($username !== "PowerHouse" && $username !=="ThorSummoner")
	{	
	echo("Who are you?");
	}




?>
</center>
</body>
</html>

 

index.php

<?php


global $verified;
echo ($verified);

If( $verified == "TRUE" )
{
echo "You are verified";
}
else if( $verified != "TRUE" )
{
echo "You should not be here";
}
else if( $verified = NULL )
{
echo "Nulled out";
}
$cookie=$HTTP_COOKIE_VARS['auth'];

If( $cookie != "Verified_Power")
{
echo "No Cookie, or not correct cookie";
}

// A way to view all cookies
//print_r($_COOKIE);


?>
<html>
<head>
<Title>Power's Control Panel
</Title>
</head>
<body>
This is my control panel <BR>

test<br>
</body>
</html>

 

Any help would be greatly appreciated! Remember I am new so I am sure my code is poorly written. Please be polite.

 

 

Link to comment
Share on other sites

 

This is a great post for all of the beginners in PHP to learn from.

To sum it all up in a few words first: NEVER USER COOKIE TO VALIDATE A USER.

Why? Because the end-user easily can edit the cookies on their computer, and therefore tamper with your website without authorization.

 

Cookies should only be used to register for how long a user want to be logged in.

 

Because of this Im not going to comment and correct your code; but instead guide you on the right path: SESSION.

When a user is logging in on your website, make a session that register that the user is logged in.

 

Google "PHP SESSION tutorial" and you will find a lot of interesting information to read on the bed.

 

 

Good luck, and if you wonder about anything else - dont be afraid to PM.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.