User only links?

[melloorr]

Hey everyone, I'm relatively new to php and I have created a basic login page on my site. It checks whether someone is logged in by searching for a cookie.

 

But I am wondering if there is a simple way to display content an link to only people who are logged in, and show user specific content based on who is logged it (much like forums - but not as complicated, just simple)

 

Thank you and its very much appreciated

[RaythMistwalker]

If ($_COOKIE['COOKIE_NAME']) {
   Member Only Data Here
}

 

Most simplist way.

[MasterACE14]

need to use sessions, rather than only cookies.

 

basic example:

<?php 
session_start(); // start the session (needs to be at the top of each page(before output) that requires some kind of tracking, such as check user is logged in

$_SESSION['userid'] = $_POST['userid']; // this is how you would log in a user, use a form to submit their ID or whatever you uniquely identify them by

if(isset($_SESSION['userid'])) { // check they are logged in, if yes show the link and content
   echo "logged in";
} else {
  echo "not logged in"; // if not logged in, can redirect them to login page or something
}

?>

of course you need to add all the security as well.

 

You could simply do what RaythMistwalker mentioned:

If ($_COOKIE['COOKIE_NAME']) {
   Member Only Data Here
}

 

Most simplist way.

depends on what kind of content you're trying to hide from people that aren't suppose to be able to see it, cookies are easily manipulated.

[RaythMistwalker]

What I do is set a cookie which contains a uniqid() which is also stored in a database to that user so if the cookie is edited the user is logged out.

[seany123]

What I do is set a cookie which contains a uniqid() which is also stored in a database to that user so if the cookie is edited the user is logged out.

 

thats a very cool way of doing it which i had never thought of before, i might just implement into my site.

[melloorr]

Thanks for all the help. I am mainly using it so I can display the logout link if someone is logged in, and the login link if no-one is logged in, and also to show the logged in user their specific link (i.e. YouTube shows the link to my profile at the top of the page)

 

(Sorry if I have not explained it well)

 

This is the cookie code I have used:

$_POST['username'] = stripslashes($_POST['username']); 

	 $hour = time() + 3600; 

setcookie(ID_my_site, $_POST['username'], $hour); 

setcookie(Key_my_site, $_POST['pass'], $hour);	

 

Taken from here: http://php.about.com/od/finishedphp1/ss/php_login_code_5.htm

 

So how would I add a uniqid() ?

[PFMaBiSmAd]

If you goal is to log someone in for the duration of one visit to your site (one browser session), you would use a session variable to remember that they have logged in. If your goal is to remember that someone is logged in across multiple visits to your site, read this post - http://www.phpfreaks.com/forums/index.php?topic=346586.msg1635843#msg1635843

 

Storing the actual username and password in plain text in cookies has at least one major security problem (anyone with access to the computer or to the data packets going back and forth can see and get the actual password) and just testing for the existence of a cookie to treat someone as being logged in will allow anyone to become logged in because they can simply set a cookie with any value.

 

Storing a unique id, that you generate on the server (and regenerate as needed), in a cookie virtually eliminates the possibility that someone can generate a value that will match an actual user (it is still possible to intercept that value and impersonate an actual user, but that is a different problem.)

[RaythMistwalker]

What I do is set a cookie which contains a uniqid() which is also stored in a database to that user so if the cookie is edited the user is logged out.

 

thats a very cool way of doing it which i had never thought of before, i might just implement into my site.

^Also gives you the ability to log users out by simply removing it from the DB.

 

Now melloor,

Firstly, never save someones username/password in a cookie as cookies are easily intercepted and modified.

 

$_POST['username'] = stripslashes($_POST['username']); 

	 $hour = time() + 3600; 
         $Id = uniqid();

setcookie(ID_my_site, $Id, $hour); 

 

Just remember to save $Id in a database as well. My login table has:

user_id (unique user_id for different users. NEVER CHANGES)

username

password (hashed)

unique_id - Where i save the id which will then be checked against the cookie when a page is loaded

[melloorr]

Sorry for being needy, but...

 

How would I add this to my login script (whole login code is from the website I linked to in my last post)? I have added a column to my table called unique_id (correctly I think), but how would I go about adding a value to it when logging in and then adding the same value to the cookie, then deleting it when they log off?

[RaythMistwalker]

What do you have so far exactly?

[melloorr]

I have just copied what is in this tutorial: http://php.about.com/od/finishedphp1/ss/php_login_code.htm

[RaythMistwalker]

Well you have the setcookie stuff already, so all you really have to do is take what I had before and so it'd be this:

 

$Username = stripslashes($_POST['username']); 

	 $hour = time() + 3600; 
         $Id = uniqid();
$InsertQry = "UPDATE tablename SET unique_id='{$Id}' WHERE username='{$Username}'";
setcookie(ID_my_site, $Id, $hour); 

[melloorr]

I still need help 

 

Would I need to replace the old cookie code for the new one, so it does not check for a password?

 

And

 

How would I go about checking the cookie to check they are logged in? This is the code that checks:

//checks cookies to make sure they are logged in 

if(isset($_COOKIE['ID_my_site'])) 

{ 

	$username = $_COOKIE['ID_my_site']; 

	$pass = $_COOKIE['Key_my_site']; 

	 	$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); 

	while($info = mysql_fetch_array( $check )) 	

 

It checks the password, but if you replace the old cookie code, then there is no password to check

[RaythMistwalker]

//checks cookies to make sure they are logged in 

if(isset($_COOKIE['ID_my_site']))  { 

	$cookie = $_COOKIE['ID_my_site']
        $check = mysql_query("SELECT * FROM users WHERE unique_id='{$cookie}'")or die(mysql_error()); 
        If ($check) { 
             $username = mysql_result($check, 0, 'username');
        }
        Else { setcookie('ID_my_site','',time()-3600); }
}

 

This checks the cookie and retrieves relevant username. It will also erase the saved cookie if result is not found so make sure it is above any output code

[melloorr]

Sorry for taking so long to reply but I got fed up because that was not working either.

 

But I have just checked again and I noticed in the original code, that the password was encrypted before it was put into the cookie, so would this make it secure?

[PFMaBiSmAd]

If by encryption, you mean using md5 (which is actually hashing, not encryption) on the password and then storing the md5 value in a cookie, then NO that is not secure because with the power of today's computers, it is easy to come up with a starting value that produces a specific md5 value that would let someone log in using your log in form.

[melloorr]

Oh, well is there any other way it could be easily done?