Setting Coockies - php error

[logicopinion]

Hello

 

i am trying to protect my CMS with password, i am realy newbie in php.

so, first of all i`ll describe my problem shortly:

 

this is the code of an index.php file

 

<?php

if (isset($_COOKIE['firstschool_username']) and isset($_COOKIE['firstschool_password']) and $_COOKIE['firstschool_username'] != "deleted")

{
next;
}
else
{
echo "<meta http-equiv=\"REFRESH\" content=\"0; url=login.php\">";
exit;
}
?>
<html>
<head>
<title>Admin Panel - Content Managment System</title>
<link rel="stylesheet" type="text/css" href="styles/styles.css" />
</head>
... the rest of HTML code goes here...

 

End This is the code of redirect.php which checks if password was entered and compares it with the password and username in database and sets coockies for this page.

 

<?php
$login_username =  stripslashes($_POST['login_username']);
$login_password =  stripslashes($_POST['login_password']);
$oneday = 60 * 60 * 24 + time();
setcookie('firstschool_username', '$login_username', $oneday);
setcookie('firstschool_password', '$login_password', $oneday);
include ("includes/vars.php");
mysql_connect("$hostname",  "$username",  "$password") or die(mysql_error());
mysql_select_db("$database") or die(mysql_error());
$query = "SELECT * FROM `login` WHERE `username` = '$login_username' AND `password` = '$login_password'";
$result = mysql_query($query) or die(mysql_error());
if (mysql_num_rows($result) > 0) {
echo "Logged in, redirecting";
echo "<meta http-equiv=\"REFRESH\" content=\"3;url=index.php\">";
}
else 
{
echo "Wrong username or password";
echo "<meta http-equiv=\"REFRESH\" content=\"3; url=login.php\">";
}
?>

 

 

and this is the code of login.php file... which consists of a simple form:

 

<html>
<head>
<title>Admin Panel Login Page</title>
<link rel="stylesheet" type="text/css" href="styles/styles.css" />
</head>
<body background="images/bg.png" topmargin="0" leftmargin="0" bottommargin="0" rightmargin="0">
<table border="0" width="100%" height="100%" cellpadding="0" cellspacing="0">
<TR><TD   align="center">



<table  border="0" bgcolor="#FFFFFF" width="300"  cellpadding="0" cellspacing="0">
<form action="redirect.php" method="post">
<TR><TD style="border-top:1px #CCCCCC solid; border-left:1px #CCCCCC solid; border-right:1px #CCCCCC solid;" height="40" colspan="2" align="center" class="authtext">Content Management System</TD></TR>
<TR><TD height="40" style="border-left:1px #CCCCCC solid;" class="titles" align="center">სახელი:</TD><TD style="border-right:1px #CCCCCC solid;" align="center"><input size="25" class="login" type="text" name="login_username"></TD></TR>
<TR><TD height="40" style="border-left:1px #CCCCCC solid;" class="titles" align="center" >პაროლი:</TD><TD style="border-right:1px #CCCCCC solid;" align="center"><input size="25" class="login" type="password" name="login_password"></TD></TR>
<TR><TD style="border-bottom:1px #CCCCCC solid; border-right:1px #CCCCCC solid; border-left:1px #CCCCCC solid;" align="right" height="40" colspan="2"><input class="loginbutton" type="submit" value="Login"></TD></TR>
</form>
</TD</TR>
</table>
</TD</TR>
</table>
</boyd>
</html>

 

My Problem is Next: when i type: http://localhost/admin/ as a rule it goes to index.php which checks if coockies are set.. and makes action.

so that if there is no coockie set it redirects to login.php page.

 

everything works fine until i go to login.php page and click LOGIN button with or whithout entering anything in forms. after this it tells me wrong username/password. its normal (i enter wrong password and username or nothing at all) but after saying WRONG USERNAME/PASSWORD and redirecting me to login.php page again.. if i edit URL which looks like http://localhost/admin/login.php and type http://localhost/admin/someotherpage.php it lets me in so i can modify anything i wish..

 

can someone tell me where is the mistake?

 

sorry if my post looks long to read. please help thanks a lot.

Regards

[haku]

You are setting the username and password into cookies at the start of your script, before you have even checked to see if they are correct or not. Even if they are empty when you set them, the cookie is still there. So when you check it on other pages, since the cookies exist (even though the contents are wrong), it thinks you are logged in.

 

Set those cookies AFTER you have checked to see if the username and password were correct. But DONT set password, that's dangerous. Just set username. And you should use sessions, not cookies.

[logicopinion]

what does it mean not to set password?

 

yes i know session is better one but i realy have no idea about session

[haku]

it means DONT use this line of code:

 

setcookie('firstschool_password', '$login_password', $oneday);

 

Anyone can see the information stored in that cookie very easily. So the person's password will be out there for anybody to see.

[logicopinion]

okey i see this is stuped way to protect page..

 

i`ll go and read something about sessiosns then..

 

thanks a lot.. will be back if some qeuistons

[haku]

Sessions are much better. But even after you are using sessions, you still shouldn't store the users password in a session variable. Session variables are more secure than cookies, but they can still be hacked. Never store the user's password anywhere except in the database, and even then the password should be encrypted.

[logicopinion]

can someone give me a link of good tutorial about sessions and password protection ?

 

thank you

[aschk]

101 on setting sessions.

 

To set session information (page1.php)

<?php
start_session();
$_SESSION['myvar'] = "blah blah";
?>

 

To get session information (page2.php)

<?php
echo $_SESSION['myvar'];
?>

 

 

[haku]

Here is a good tutorial

 

http://www.tizag.com/phpT/phpsessions.php

 

Actually all tizag tutorials are good. I would recommend going through them from start to finish for most of the coders that ask questions on this site - the code they teach is quite well written.