Jump to content

setting cookies after upgrading to HTTPS


mmarkym
 Share

Recommended Posts

I've recently upgraded my site to secure HTTPS from HTTP. Now my cookies won't work. I've read you have to add the secure attribute, setting it to 1 but not sure how to do this. Anyway my cookies are-

setcookie('loggedIn', '$user', time() + 36 * 24);
and
setcookie('signedup', $username, time() + 36 * 24);

I'm then combining them with the global $_SESSION variable to create a login system.

if (isset($_COOKIE['signedup']))
{
	if (!isset($_SESSION['signupUser']))
	{
		$_SESSION['signupUser'] = $_COOKIE['signedup'];
	}
}
if (isset($_SESSION['signupUser']))
{

and the login page.

session_start();
if (isset($_COOKIE['loggedIn']))
{
	if (!isset($_SESSION['login']))
	{
		$_SESSION['login'] = $_COOKIE['loggedIn'];
	}
}
	if (isset($_SESSION['login']))
	{

thanks

 

mark

Link to comment
Share on other sites

Cookies are easy to troubleshoot: use your browser's developer tools to see exactly what Set-Cookie headers your server is sending back, what the cookie data being stored inside your browser is, and whether there are outgoing Cookie headers to your server.

Also,

1. Your loggedIn cookie has the wrong value. I assume that's just a mistake in your post and not true for your real code?
2. 36*24 is 14 minutes. Are you sure you want that?

 

45 minutes ago, mmarkym said:

I've read you have to add the secure attribute, setting it to 1

The Secure attribute only means that the cookie will not be sent over insecure connections. If your whole site is secure then this won't do anything - but it is still a good idea for security, Just In Case™.

Link to comment
Share on other sites

Posted (edited)

I've found this information and found the signedup cookie is being set. What happens is the signup and login page are blank because that.s where I set the cookies. Anyway have a look at my site and I need to know what I do with the browser information to fix the problem. my signup page is signup.php. The login page is authenticate.php. add php/ at the end of the url to get the correct path to these pages.

https://www.theatlanticmint.com

mark

Edited by mmarkym
Link to comment
Share on other sites

Hi,

I'm using cookies and the $_SESSION global variable to create a login system. If visiting this newly enabled HTTPS site and you try to signup or login the content is somehow getting blocked. The signup and login scripts are attached and could hold the problem but I've found the fact that I required another file, AccountLinks.php(Which is the login form and logout link.) in my header file which is presenting the problem. If I comment out the require("AccountLinks.php"); than content is not blocked. I've attached header, AccountLinks, signup, and checkAuthentification(Login) below.

The site is https://www.theatlanticmint.com

header.php

<!DOCTYPE html 5>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link href="css/styleGrid.css" rel="stylesheet" />
<link href="../css/styleGrid.css" rel="stylesheet" />
<script src="js/addEventHandler.js"> </script>
<script src="js/script.js"> </script>
<title>The Atlantic Mint</title>
</head>

<body>


<header>
<span id="heading"><a href="index.php" class="homeLink">The Atlantic Mint</a>
<span id="siteseal"><script async type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=VtwWAF1HXegBhXVgpiNqX5tUMNCN55ELFrrGpiELL5T4Y0TtqLTmuAIG7ADT"></script></span>
<p id="saying">One TAM Digital Coin Is Equivalent To One Troy Ounce Silver</p>
</span>

<?php 
if (isset($_SESSION['login']))
{
?>
<div id="splashImage">
 <aside id="bear" class="item-one">
	 	<video id="videoDean" controls height="80%" width="100%">
	    	<source src="images/bears1.mp4" type="video/mp4">
	        
	        Your browser doesn't support the HTML5 video tag.
	    </video>
<!--<img id="moneyPhoto" src="images/silverCoins.png" />-->
 </aside>
</div>
<?php
}
require("php/AccountLinks.php");
?>
</header>

AccountLinks.php

<div id="accountLinks">
<span id="imageCoins"><img id="accountImages" src="../images/coin5.png" /></span> 
<P>One TAM Silver In Physical Form</P>
<?php
session_start();
if (isset($_COOKIE['loggedIn']))
{
	if (!isset($_SESSION['login']))
	{
		$_SESSION['login'] = $_COOKIE['loggedIn'];
	}
}
	if (isset($_SESSION['login']))
	{
?>

    <div id="accountHyperlinks">
		<div id="logoutLink"><a href="php/logout.php" class="accountLink">LOGOUT</a></div>
	<?php
	echo "<span id=\"YouRLoggedIn\">You are logged in as:</span> <br />" . "<div id='loginResult'>" . $_SESSION['login'] . "</div>";
	}
	else
	{
	?>
		<!--<a href="authenticate.php" class="accountLink">LOGIN</a><br />-->
        <div class="forms">
            <form method="post" action="php/checkAuthentification.php" id="loginForm">
                    
                   <fieldset> 
                   <legend>Please log in:</legend>
                    <div class="tblRow">
                        <label for="username">Username:</label>
                        <input class="frmInput" type="text" name="username" id="username" placeholder="Enter a valid username." required aria-required="true" value="<?php echo isset($_SESSION['signupUser']) ? $_SESSION['signupUser'] : '' ; ?>" /><br />
<!--                        <a href="forgotLogin.php" id="usernameRecover" class="smallLinks" name="userRecover">Forgot Username >></a> 
-->                     </div>
                   <div class="tblRow">
                        <label for="password">Password:</label>
                        <input class="frmInput" type="password" name="password" id="password" placeholder="Enter a valid password." required aria-required="true" /><br />
<!--                        <a href="forgotLogin.php" id="passwordRecover" class="smallLinks" name="passRecover">Forgot Password >></a> 
-->                     </div>
                   
                    <div class="tblRow">
                    	<input type="submit" name="login" id="login" value="Login" />                        
                    </div>  
                    </fieldset>	
            </form>  
 </div>       
		<a href="php/signup.php" class="accountLink">SIGNUP</a>
     </div>    
    <?php
	}
	?>  
</div>

signup.php

<?php 
session_start();
require("header.php"); 
require('credentials.php');

if (isset($_COOKIE['signedup']))
{
	if (!isset($_SESSION['signupUser']))
	{
		$_SESSION['signupUser'] = $_COOKIE['signedup'];
	}
}
if (isset($_SESSION['signupUser']))
{
	echo "<div id='loginResult'>You are already signed up as: <br />" . $_SESSION['signupUser'] . ". You may now login.</div>";
}		
?>		
		<a href="authenticate.php" class="accountLink">LOGIN </a>

<?php
if (isset($_POST['btnSignup']))
{	
$conn = mysqli_connect(DBHOST, DBUSER, DBPASS, DBNAME)or die("error with the connection");
	
	$fname = mysqli_real_escape_string($conn, trim($_POST['fname']));
	$lname = mysqli_real_escape_string($conn, trim($_POST['lname']));
	$date = mysqli_real_escape_string($conn, trim($_POST['date']));
	$street = mysqli_real_escape_string($conn, trim($_POST['street']));
	$city = mysqli_real_escape_string($conn, trim($_POST['city']));
	$state = mysqli_real_escape_string($conn, trim($_POST['state']));
	$zip = mysqli_real_escape_string($conn, trim($_POST['zip']));
	$email = mysqli_real_escape_string($conn, trim($_POST['email']));
	$phone = mysqli_real_escape_string($conn, trim($_POST['phone']));
	$username = mysqli_real_escape_string($conn, trim($_POST['username']));
	$password = mysqli_real_escape_string($conn, trim($_POST['password']));
	
	$query = "SELECT * FROM users WHERE email = '$email'";
	$dataSet = mysqli_query($conn, $query) or die("Error with the  signup email query.");	
	if (mysqli_num_rows($dataSet) === 0)
	{
		$row = mysqli_fetch_array($dataSet);
		
		$_SESSION['signupUser'] = $username;
		setcookie('signedup', 'allready', time() + 36 * 24);
		
		$str = "INSERT INTO users (fname, lname, date, street, city, state, zip, email, phone, username, password) VALUES ('$fname', '$lname', '$date
		', '$street', '$city', '$state', '$zip', '$email', '$phone', '$username', sha1('$password'))";
		mysqli_query($conn, $str)or die('error with the signup query');
		
	
//gather the data
	$str2 = "SELECT * FROM users WHERE email = '$email'";
	$result = mysqli_query($conn, $str2) or die("Error with the  signup email query.");
	$row2 = mysqli_fetch_array($result);	
	echo "<div id=\"registerResults\">";
	echo "<h3>Signup Results</h3>";
		echo $row2['fname'] . "<br />";
		echo $row2['lname'] . "<br />";
		echo $row2['date'] . "<br />";
		echo $row2['street'] . "<br />";
		echo $row2['city'] . "<br />";
		echo $row2['state'] . "<br />";
		echo $row2['zip'] . "<br />";
		echo $row2['email'] . "<br />";
		echo $row2['phone'] . "<br />";
		echo $row2['username'] . "<br />";
		echo $row2['password'] . "<br />";
		echo "<p>This user has successfully signed up and can now <a href=\"authenticate.php\" id=\"smLogin\">log in</a></p>";
		
		$hideForm = true;
		
		$home_url = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php';
          	header('Location: ' . $home_url);
										
		echo "</div>";
		}
		else
		{
			echo '<p class="else">That email already exists. Please use a different email or log in.</p>';
		}
	}

	if (!$hideForm)
	{

?>
<section>
<article>
<div id="frmSignup" class="forms">
	<fieldset>
    <legend>Please Sign Up:</legend>
	<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="frmSignup" id="frmSignup">
    	<h3 id="contactHeading">Signup Form:</h3>
        
        <div class="frmRow"><label for="fname">First Name:</label><input type="text" id="fname" name="fname" value="<?php echo isset($fname) ? $fname : ''; ?>" placeholder="Enter First Name" autofocus></div>
        <div class="frmRow"><label for="lname">Last Name:</label><input type="text" id="lname" name="lname"  value="<?php echo isset($lname) ? $lname : ''; ?>" placeholder="Enter Last Name"></div>
        <div class="frmRow"><label for="date">Today's Date:</label><input type="datetime" id="date" name="date" value="<?php echo isset($date) ? $date : ''; ?>" placeholder="Enter Today's Date"></div>
        <div class="frmRow"><label for="street">Street:</label><input type="text" id="street" name="street"  value="<?php echo isset($street) ? $street : ''; ?>" placeholder="Enter Street"></div>
        <div class="frmRow"><label for="city">City/Town:</label><input type="text" id="city" name="city"  value="<?php echo isset($city) ? $city : ''; ?>" placeholder="Enter City"></div>
        <div class="frmRow"><label for="state">State:</label><input type="text" id="state" name="state" value="<?php echo isset($state) ? $state : ''; ?>" placeholder="Enter State" list="states"></div>
        <datalist id="states">
        	<select>
	<option value="AL">Alabama</option>
	<option value="AK">Alaska</option>
	<option value="AZ">Arizona</option>
	<option value="AR">Arkansas</option>
	<option value="CA">California</option>
	<option value="CO">Colorado</option>
	<option value="CT">Connecticut</option>
	<option value="DE">Delaware</option>
	<option value="DC">District Of Columbia</option>
	<option value="FL">Florida</option>
	<option value="GA">Georgia</option>
	<option value="HI">Hawaii</option>
	<option value="ID">Idaho</option>
	<option value="IL">Illinois</option>
	<option value="IN">Indiana</option>
	<option value="IA">Iowa</option>
	<option value="KS">Kansas</option>
	<option value="KY">Kentucky</option>
	<option value="LA">Louisiana</option>
	<option value="ME">Maine</option>
	<option value="MD">Maryland</option>
	<option value="MA">Massachusetts</option>
	<option value="MI">Michigan</option>
	<option value="MN">Minnesota</option>
	<option value="MS">Mississippi</option>
	<option value="MO">Missouri</option>
	<option value="MT">Montana</option>
	<option value="NE">Nebraska</option>
	<option value="NV">Nevada</option>
	<option value="NH">New Hampshire</option>
	<option value="NJ">New Jersey</option>
	<option value="NM">New Mexico</option>
	<option value="NY">New York</option>
	<option value="NC">North Carolina</option>
	<option value="ND">North Dakota</option>
	<option value="OH">Ohio</option>
	<option value="OK">Oklahoma</option>
	<option value="OR">Oregon</option>
	<option value="PA">Pennsylvania</option>
	<option value="RI">Rhode Island</option>
	<option value="SC">South Carolina</option>
	<option value="SD">South Dakota</option>
	<option value="TN">Tennessee</option>
	<option value="TX">Texas</option>
	<option value="UT">Utah</option>
	<option value="VT">Vermont</option>
	<option value="VA">Virginia</option>
	<option value="WA">Washington</option>
	<option value="WV">West Virginia</option>
	<option value="WI">Wisconsin</option>
	<option value="WY">Wyoming</option>
</select>				
        </datalist>
        <div class="frmRow"><label for="zip">Zip Code:</label><input type="text" id="zip" name="zip" value="<?php echo isset($zip) ? $zip : ''; ?>" placeholder="Enter Zip Code"></div>
        <div class="frmRow"><label for="email">Email:</label><input type="email" id="email" name="email" placeholder="Enter a valid Email"></div>
        <div class="frmRow"><label id="phoneLabel" for="phone">Phone:</label><input type="tel" id="phone" name="phone" aria-required="true" required value="<?php echo isset($phone) ? $phone : ''; ?>" placeholder="Enter Phone Number" /></div>
        
        <div class="frmRow"><label for="username">Username:</label><input type="username" id="username" name="username" placeholder="Enter a valid username" value="<?php echo isset($username) ? $username : ''?>"</div>
        <div class="frmRow"><label for="password">Password:</label><input type="password" id="password" name="password" placeholder="Enter a valid password" value="<?php echo isset($password) ? $password : ''?>"</div>
        
        <input type="submit" value="Sign Me Up" id="btnSignup" name="btnSignup">
    </form>
    </fieldset>
</div>
</article></section>
<?php
	}
	require('php/footer.php'); 
?>

and checkAuthentification.php

<?php
session_start();
require("header.php");
require('credentials.php');

	if (isset($_POST['login']))
		{	
			$connection = mysqli_connect(DBHOST, DBUSER, DBPASS, DBNAME)or die('error with the connection');//DBHOST, DBUSER, DBPASS, DBNAME
			
			$user = mysqli_real_escape_string($connection, trim($_POST['username']));
			$password = mysqli_real_escape_string($connection, trim($_POST['password']));
				
				$query = "SELECT * FROM users WHERE username = '$user' AND password = sha1('$password')";
			
				$result = mysqli_query($connection, $query)or die('error with the login query');
				while ($row = mysqli_fetch_array($result))
				{
					if ($user == $row['username'] && $password == $row['password'])
					{
						if (mysqli_num_rows($result) !== 0)
						{							
							setcookie('loggedIn', 'allset', time()+60*60*24*30);
							
							$_SESSION['login'] = 
							
							 "<br /><span>". " " .
							 " <div class='resultRows'><span class=\"rowResults\">" . "Username:</span> <span class=\"fields\">" . $row['username'] . "</span></div>" .
							 " <div class='resultRows'><span class=\"rowResults\">" . "Full Name:</span> <span class=\"fields\">" . $row['fname'] . " " . $row['lname'] . "</span></div>" .
							 " <div class='resultRows'><span class=\"rowResults\">" . "Street:</span> <span class=\"fields\">" . $row['street']. "</span></div>" .
							 " <div class='resultRows'><span class=\"rowResults\">" . "City/Town:</span> <span class=\"fields\">" . $row['city'] . "</span></div>".
							 " <div class='resultRows'><span class=\"rowResults\">" . "State:</span> <span class=\"fields\">" . $row['state'] . "</span></div>" .
							 " <div class='resultRows'><span class=\"rowResults\">" . "Zip-Code:</span> <span class=\"fields\">" . $row['zip'] . "</span></div>".
							 " <div class='resultRows'><span class=\"rowResults\">" . "Email:</span> <span class=\"fields\">" . $row['email'] . "</span></div>" .
							 " <div class='resultRows'><span class=\"rowResults\">" . "Phone:</span> <span class=\"fields\">" . $row['phone'] . "</span></div>".
							 " <div class='resultRows'><span class=\"rowResults\">" . "Date:</span> <span class=\"fields\">" . $row['date'] . "</span></div>".
							 "</span>";
							 echo "<p></p>";
						}
						else
						{
							echo "No such record.";	
						}			
					}
				}				
		}
	//}
	if (!isset($_SESSION['login']))
	{
?>
<section>
<article>
<div class="forms">
    <div id="login">
        <h3>Log In:</h3>
            <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" id="loginForm">
                    
                   <fieldset> 
                   <legend>Please log in:</legend>
                    <div class="tblRow">
                        <label for="username">Username:</label>
                        <input class="frmInput" type="text" name="username" id="username" placeholder="Enter a valid username." required aria-required="true" value="<?php echo isset($_SESSION['signupUser']) ? $_SESSION['signupUser'] : '' ; ?>" />
                     </div>
                   <div class="tblRow">
                        <label for="password">Password:</label>
                        <input class="frmInput" type="password" name="password" id="password" placeholder="Enter a valid password." required aria-required="true" />
                     </div>
                   
                    <div class="tblRow">
                    	<input type="submit" name="login" id="login" /> 
                    </div>  
                    </fieldset>	
            </form>  
    </div><!--end login div-->  
 </div>
 </article></section>
 <?php
	}
	else
	{
		echo "You are now logged in " . $_SESSION['login'];	
		$home_url = 'http://' . $_SERVER['HTTP_HOST'] .  '/index.php';
							header('Location: ' . $home_url);			
	}
?>

 

Link to comment
Share on other sites

1 hour ago, mmarkym said:

If visiting this newly enabled HTTPS site and you try to signup or login the content is somehow getting blocked.

"Somehow getting blocked" is a hard thing to understand when I can't see it happening for myself.

Right now, all I can tell is that if I try to log in with a bad username and password then I get a 500 error.

Link to comment
Share on other sites

When I click on signup or login from the homepage, with good or bad info, I get a page with everything in header.php down to the php output. The logo, and heading, and a black background. The php is not outputting the signup form or login results. I think, furthermore, that the require statement at the bottom of header.php, AccountLinks.php, is the culprit somehow because when I comment it everything shows, except for, of course, AccountLinks.php.

 

mark

Link to comment
Share on other sites

I did a work around and everything works, almost. Instead of requiring the AccountLinks in header.php and requiring that in index.php, I put the AccountLinks.php require directive directly in index. My problem now is the sha1 algorithm. I am trying to encrypt password in signup and checkAuthentification by using SHA1(password). If I take away the sha1 algorithm everything works, otherwise not.

 

mark

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.