Mike Mike - 1 year ago 120
PHP Question

PHP SESSIONS, COOKIES and Remember Me function

I have the following code, when a user logs in, they are presented with two text boxes and a checkbox.

Setting the three cookies,

username
,
password
and
remember
all work and the log in script itself is comepletely fine (I appreciate that storing hashed passwords in the cookie isn't best practice but for now it will do).

What happens though, is id the user re-visits the
login.php
page (this one) while they are already logged in the cookies are removed one-by-one as the $_POST condition is not being met and therefore the lines below are being executed. How can I prevent this from happening. Also, any suggestions to clean up the code as I will no doubt end up with a lot of repeated code will be appreciated. Thanks

snippet from the 'login.php' page below


} elseif (!$_POST['remember']) {
$past = time() - 100;
if (isset($_COOKIE['remember'])) {
setcookie('remember', '', $past);
} elseif (isset($_COOKIE['username'])) {
setcookie('username', '', $past);
} elseif (isset($_COOKIE['password'])) {
setcookie('password', '', $past);
}
}


login.php


<?php
session_start();
include("includes/config.php");

?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<?php

$odb = new PDO("mysql:host=" . DB_SERVER . ";dbname=" . DB_NAME, DB_USER, DB_PASS);

$username = "";
$password = "";

if (isset($_COOKIE['username']) && isset($_COOKIE['password'])) {

$username = $_COOKIE['username'];
$password = $_COOKIE['password'];

} elseif (isset($_POST['username'])) {

$username = $_POST['username'];
$password = $_POST['password'];
$password = md5(DB_SALT.$password);

}

$sql = "SELECT * from tblMembers WHERE username = :username";
$query = $odb->prepare($sql);
$query->execute(array(":username" => $username));
$results = $query->fetchAll();
if($results !== FALSE && $query->rowCount()>0) {
if($results[0]['passwordHash'] == $password) {
$_SESSION['username'] = $username;
$_SESSION['userID'] = $results[0]['userID'];

if($_POST['remember']) {
$month = time() + (60 * 60 * 24 * 30);
setcookie('remember', $_POST['username'], $month);
setcookie('username', $_POST['username'], $month);
setcookie('password', $results[0]['passwordHash'], $month);
} elseif (!$_POST['remember']) {
$past = time() - 100;
if (isset($_COOKIE['remember'])) {
setcookie('remember', '', $past);
} elseif (isset($_COOKIE['username'])) {
setcookie('username', '', $past);
} elseif (isset($_COOKIE['password'])) {
setcookie('password', '', $past);
}
}


header("Location: "."index.php");
} else {
echo "password incorrect";
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
Username:&nbsp;
<?php
if(isset($_COOKIE['username'])) {
echo "<input type=\"text\" id=\"username\" name=\"username\" maxlength=\"40\" value=".$_COOKIE['username'].">";
} else {
echo "<input type=\"text\" id=\"username\" name=\"username\" maxlength=\"40\" value=\"\">";
}
?>
Password:&nbsp;<input type="password" id="password" name="password" maxlength="50">
Remember Me:&nbsp;
<?php
if(isset($_COOKIE['remember'])) {
echo "<input type=\"checkbox\" id=\"remember\" name=\"remember\" checked=\"checked\">";
} else {
echo "<input type=\"checkbox\" id=\"remember\" name=\"remember\">";
}
?>
<input type="submit" id="submit" name="submit" value="Log In">
</form>
</body>
</html>

Answer Source

Your code says exactly that this should happen. After the first request the remember POST parameter will not be set anymore and thus the if-statement evaluates to true. It then will delete the first cookie. Next time it will delete the second, because the first already doesn't exist anymore.

Maybe you should replace this line:

elseif (!$_POST['remember']) {

with this:

elseif (!$_POST['remember'] && !$_COOKIE['remember']) {

And you should get rid of the elseifs in there, because you probably want to delete all cookies. Just put if and it should do as you wish.

And on a side note: !$var is not the proper way to check if a value is set. Use !isset($var) instead.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download