Please reply with your feedback. I want to know how general is this issue.
I have an integration between SMF forum and OsDate, which uses cookies and sessions. However, when I use any browser except for Mozilla, the session is not passed. Anyway, I tried to simplify this and look for a simple session script (which I set in the page above) to try to figure out what the problem is. In the script above, the behavior is the same, when login with Mozilla I can succesfully do it, but with the other browsers I can't. I think it is an issue with the script, because I can login to other pages using cookie sessions with the same computer an browsers I have. Can you point me about what could it be? below is the code for this simple script:
<?php
// Connects to your Database
mysql_connect("your.hostaddress.com", "username", "password") or die(mysql_error());
mysql_select_db("Database_Name") or die(mysql_error());
//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))
//if there is, it logs you in and directes you to the members page
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: members.php");
}
}
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);
//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('Incorrect password, please try again.');
}
else
{
// if login is ok then we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);
//then redirect them to the members area
header("Location: members.php");
}
}
}
else
{
// if they are not logged in
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}
?>
In fact, this script does work with one of my computers with ie6, but not working in another with ie8 (as mentioned, I prefer to think that it is a script issue)
It seems a bad idea to keep password in cookies: everybody can read corresponding file and get it. There is nothing in you code that browsers can process by different ways. So I see one possible reason only: IE8 is too clever and disapprove to keep password in the cookie. Try to change name of password cookie.
Sorry if it will not help. It's my suggestion only.
I appreciate your advice about the the security matter you mention, thanks.
I have been checking some session and cookie scripts, and this is the behavior I can see, I hope you could answer some of my questions:
I have tested a simple script to test the cookies are sent and retrieved correctly by the browser in the same php. The script works OK.
Then I have tested another script which after a successful login, saves some cookies. But then if I redirect to another php file and I try to retrieve the cookie I just saved, the cookie doesn't look to be retrieved. So these are some questions I have:
If a cookie is saved in test.php, the cookie can not be retrieved from test2.php (even when they are in the same directory)??
Do you know what's the difference between IE and Firefox when managing cookies? I have tested several scripts with firefox and they look to work just fine.
If you could point me with a script to determine exactly what is happening with the cookies in the script/browser, I will highly appreciate it.
If you're looking from PHP you would see no difference in cookie management between IE and FF. If such difference exists - browser simply does not satisfy corresponding RFC. IE sometimes working strange so other possible reason of your problem is an IE bug. To test this suggestion you need to run your script at other computer but with the same version of IE.
To resolve a problem with cookies visibility - try to pass path parameter to setcookie. Who know what goes by default?
Also it will be nice to control setcookie parameters on all scripts you're testing.
Overall - using $_SESSION(see http://php.net/manual/en/function.session-start.php) to keep any user-related data. It sends one cookie and usually works perfect.
Cookie session. Please help!!
Reply With Quote
and disapprove to keep password in the cookie. Try to change name of password cookie.
Bookmarks