cookie based log in script

[calabiyau]

Hi,

Pretty new to php but getting the hang of it.  Just had a question.  I'm writing a script for an admin area that I have password protected from a log in script.  The log in checks the post variables for username and password (salted and hashed) against database. If everything passes then it sets a cookie on the users machine and redirects to the admin area.  The admin area checks for the cookie being set and if it is allows access.  Now the admin area is only really meant to be accessed by one person or a few at most, to administer catalogue items and such for a shop.  Is this a secure way to protect the admin area?  What ways can this be bypassed and what are some solutions to this.  I guess I just don't really understand how a malicous person could get into the admin area.  Is there a way for them to find out the cookie information.  I have looked into doing this with sessions but not come across anything that suits this situation really well.  Would love to hear some input into this.

[calabiyau]

Further, since I am only checking if the cookie is set, but not any kind of value, can someone simply try vaious combinations of names and set them to any values on their hard drive and this will pass the test? 

[Jessica]

Cookies can be easily edited. Plus, if someone steals the cookies of an allowed user (which is EASY to do), they now have access.

If you want to use cookies, always check against the database and also store in a session and check that. Cookies aren't really that great because they are easily stolen and easily edited.

"Further, since I am only checking if the cookie is set, but not any kind of value, can someone simply try vaious combinations of names and set them to any values on their hard drive and this will pass the test? "

YES. Check the VALUES against the database at least.

[calabiyau]

Thanks for your reply.  I guess I have to rethink how i've done this then.  Maybe if I provide some code, you could point me in a better direction.  Here is the code from the log in page.


[code]
$p=md5($salt.$p);

$query = "SELECT * FROM users WHERE first_name='$u' AND password='$p'";

$results_id = mysql_query($query, $connect);
$row = mysql_fetch_row ($results_id);

if ($row)
{

setcookie ('password', md5($row[2]));
setcookie ('first_name', md5($row[1]));
header("admin.php");
exit();
}
else
{
echo "<h2>I'm sorry either your password or username is incorrect.</h2><br/>";
}

[/code]

And here is the code from the admin page

[code]
<?php
if (!isset($_COOKIE['password']))
{
header("Location: login.php");
echo"Inside the box";
}

?>

[/code]

so basically what i've done is if the cookie is not set I send them back to the log in page otherwise they get the admin functions.  So I'm a little lost on sessions, but even with the cookie's if I want to check their value, then I have to enter that value into the user's row in the database.  How do I then retrieve that value?  Pass the username and password on in session variables?  If I did that then it would pretty much eliminate the need for the cookie's altogether as my ADMIN page could simply check the session variables right from the start.  so what security measures should I take when using sessions.  As you can probably tell I am quite lost at the moment.  Any clear answers would be really nice.