logicopinion Posted February 13, 2008 Share Posted February 13, 2008 Hello i am trying to protect my CMS with password, i am realy newbie in php. so, first of all i`ll describe my problem shortly: this is the code of an index.php file <?php if (isset($_COOKIE['firstschool_username']) and isset($_COOKIE['firstschool_password']) and $_COOKIE['firstschool_username'] != "deleted") { next; } else { echo "<meta http-equiv=\"REFRESH\" content=\"0; url=login.php\">"; exit; } ?> <html> <head> <title>Admin Panel - Content Managment System</title> <link rel="stylesheet" type="text/css" href="styles/styles.css" /> </head> ... the rest of HTML code goes here... End This is the code of redirect.php which checks if password was entered and compares it with the password and username in database and sets coockies for this page. <?php $login_username = stripslashes($_POST['login_username']); $login_password = stripslashes($_POST['login_password']); $oneday = 60 * 60 * 24 + time(); setcookie('firstschool_username', '$login_username', $oneday); setcookie('firstschool_password', '$login_password', $oneday); include ("includes/vars.php"); mysql_connect("$hostname", "$username", "$password") or die(mysql_error()); mysql_select_db("$database") or die(mysql_error()); $query = "SELECT * FROM `login` WHERE `username` = '$login_username' AND `password` = '$login_password'"; $result = mysql_query($query) or die(mysql_error()); if (mysql_num_rows($result) > 0) { echo "Logged in, redirecting"; echo "<meta http-equiv=\"REFRESH\" content=\"3;url=index.php\">"; } else { echo "Wrong username or password"; echo "<meta http-equiv=\"REFRESH\" content=\"3; url=login.php\">"; } ?> and this is the code of login.php file... which consists of a simple form: <html> <head> <title>Admin Panel Login Page</title> <link rel="stylesheet" type="text/css" href="styles/styles.css" /> </head> <body background="images/bg.png" topmargin="0" leftmargin="0" bottommargin="0" rightmargin="0"> <table border="0" width="100%" height="100%" cellpadding="0" cellspacing="0"> <TR><TD align="center"> <table border="0" bgcolor="#FFFFFF" width="300" cellpadding="0" cellspacing="0"> <form action="redirect.php" method="post"> <TR><TD style="border-top:1px #CCCCCC solid; border-left:1px #CCCCCC solid; border-right:1px #CCCCCC solid;" height="40" colspan="2" align="center" class="authtext">Content Management System</TD></TR> <TR><TD height="40" style="border-left:1px #CCCCCC solid;" class="titles" align="center">სახელი:</TD><TD style="border-right:1px #CCCCCC solid;" align="center"><input size="25" class="login" type="text" name="login_username"></TD></TR> <TR><TD height="40" style="border-left:1px #CCCCCC solid;" class="titles" align="center" >პაროლი:</TD><TD style="border-right:1px #CCCCCC solid;" align="center"><input size="25" class="login" type="password" name="login_password"></TD></TR> <TR><TD style="border-bottom:1px #CCCCCC solid; border-right:1px #CCCCCC solid; border-left:1px #CCCCCC solid;" align="right" height="40" colspan="2"><input class="loginbutton" type="submit" value="Login"></TD></TR> </form> </TD</TR> </table> </TD</TR> </table> </boyd> </html> My Problem is Next: when i type: http://localhost/admin/ as a rule it goes to index.php which checks if coockies are set.. and makes action. so that if there is no coockie set it redirects to login.php page. everything works fine until i go to login.php page and click LOGIN button with or whithout entering anything in forms. after this it tells me wrong username/password. its normal (i enter wrong password and username or nothing at all) but after saying WRONG USERNAME/PASSWORD and redirecting me to login.php page again.. if i edit URL which looks like http://localhost/admin/login.php and type http://localhost/admin/someotherpage.php it lets me in so i can modify anything i wish.. can someone tell me where is the mistake? sorry if my post looks long to read. please help thanks a lot. Regards Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/ Share on other sites More sharing options...
haku Posted February 13, 2008 Share Posted February 13, 2008 You are setting the username and password into cookies at the start of your script, before you have even checked to see if they are correct or not. Even if they are empty when you set them, the cookie is still there. So when you check it on other pages, since the cookies exist (even though the contents are wrong), it thinks you are logged in. Set those cookies AFTER you have checked to see if the username and password were correct. But DONT set password, that's dangerous. Just set username. And you should use sessions, not cookies. Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/#findComment-465723 Share on other sites More sharing options...
logicopinion Posted February 13, 2008 Author Share Posted February 13, 2008 what does it mean not to set password? yes i know session is better one but i realy have no idea about session Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/#findComment-465725 Share on other sites More sharing options...
haku Posted February 13, 2008 Share Posted February 13, 2008 it means DONT use this line of code: setcookie('firstschool_password', '$login_password', $oneday); Anyone can see the information stored in that cookie very easily. So the person's password will be out there for anybody to see. Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/#findComment-465726 Share on other sites More sharing options...
logicopinion Posted February 13, 2008 Author Share Posted February 13, 2008 okey i see this is stuped way to protect page.. i`ll go and read something about sessiosns then.. thanks a lot.. will be back if some qeuistons Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/#findComment-465729 Share on other sites More sharing options...
haku Posted February 13, 2008 Share Posted February 13, 2008 Sessions are much better. But even after you are using sessions, you still shouldn't store the users password in a session variable. Session variables are more secure than cookies, but they can still be hacked. Never store the user's password anywhere except in the database, and even then the password should be encrypted. Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/#findComment-465730 Share on other sites More sharing options...
logicopinion Posted February 13, 2008 Author Share Posted February 13, 2008 can someone give me a link of good tutorial about sessions and password protection ? thank you Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/#findComment-465761 Share on other sites More sharing options...
aschk Posted February 13, 2008 Share Posted February 13, 2008 101 on setting sessions. To set session information (page1.php) <?php start_session(); $_SESSION['myvar'] = "blah blah"; ?> To get session information (page2.php) <?php echo $_SESSION['myvar']; ?> Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/#findComment-465768 Share on other sites More sharing options...
haku Posted February 13, 2008 Share Posted February 13, 2008 Here is a good tutorial http://www.tizag.com/phpT/phpsessions.php Actually all tizag tutorials are good. I would recommend going through them from start to finish for most of the coders that ask questions on this site - the code they teach is quite well written. Link to comment https://forums.phpfreaks.com/topic/90879-setting-coockies-php-error/#findComment-465845 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.