How to validate user login on every page only with cookies

[thegweb]

Is there any way out to check if user is logged in before user is allowed to see page content but only using cookies, no session no mysql.

I am using text file to read username and password and if it matches then set cookie name "loggedin" and welcome the user. I am using login form on the same page and posting to itself, ex form on index page and posting on index page as well. 

 

How can I confirm on every other page if user is logged in using same cookie?

 

Thanks

[Jacques1]

First of all: Why do you have those weird limitations? Is that a requirement or a decision on your part?

 

I understand that you cannot or don't want to install a full-blown database system like MySQL, but there's still SQLite. That's also a single file, but it's much more convenient and reliable than messing with friggin' txt files. And why on earth can't you use sessions? That's one of the core functionalities of PHP.

 

Secondly: What exactly is this for? Is this just a fun application where any user may take over any account, or does the code actually have to be secure?

 

If you need security, things will get complicated, because you obviously need to prevent users from manipulating the cookies. This is possible with cryptography (or more specifically: a message authentication code), but that will take a lot more work and knowledge than simply using PHP sessions.

[thegweb]

Hi,

 

I know database will make it alot easier and thiis not my decision. I am working on a school project and this is my very first project and all these restrictions are project requirements. 

I hope to get some help here as it has been driving me crazy to figure out all this based on text files and not using sessions. I googled alot but no help.

 

Thats why I was here in a hope to get some help.

[Jacques1]

You haven't answered the second question: Is it OK if anybody can take over any account? If it is, then simply put the user ID into a cookie and use it to identify the current visitor.

 

Of course this is incredibly stupid, because anybody can manipulate their cookies and claim that they're logged in. But given the stupid requirements, this approach seems to be appropriate.

[ginerjm]

1 - create your text file and store it outside of your web-accessible tree for security purposes.

2 - create a small php script that contains a function that has two arguments - user and password.

3 - in this function open the text file and start a loop on it to read the lines one at a time. 

4 - match the user and password argument against the contents of the current line you just read.  If it matches, set the cookie and return true from the function

5 - if it doesn't match, read the next line from the text file and repeat step 4

6 - if you reach the end of the file and exit the loop, return false.

[thegweb]

Thanks for your help.

 

Being a student and working on a project, we cant say no to our instructor, it will then affect grades. 

For the second question: This project is just a class assignment and we are not told to really worry about the secure sessions. Though this is stupid to work in an appropriate way but assignment is assignment.

I appreciate your help. 

 

I saved cookie in different file to check if it is set then good otherwise redirect to main page for login without any error message. 

 

Thanks again, 

[scootstah]

This a perfect example of why I tell people not to waste their money on programming degrees.