1

How can you keep track of login status by PHP?

I include the following page to each my page to check the login status. I try to identify the user after he logs in by the cookie. However, I have not managed to read my login_cookie or use it in any way.

The code handle_login_status.php where I manipulate the login status

<?php

    $dbconn = pg_connect("host=localhost port=5432 dbname=masi user=masi password=123");

    //1. read the first word in Cookie of the form 
        //"email@gmail.com,ca05106e445c15197f7213bc12648524
    //Then, store this word to $email 
    $cookie_tripped = explode(",", $_COOKIE['login_cookie']);   
    $email = $cookie_tripped[0];
    $result = pg_prepare($dbconn, "query1", 'SELECT passhash_md5 FROM users 
                         WHERE email = $1;');
    $result = pg_execute($dbconn, "query1", array($email));
    if(!$result) {
        exit;
    }

    // to take the passhash out of the cookie
    $passhash_md5_cookie = $cookie_tripped[1];
    if($result == $passhash_md5_cookie) {
        $result = pg_prepare($dbconn, "query7", "UPDATE users SET logged_in = $1
            WHERE email = $2;");
        $result = pg_execute($dbconn, "query7", array("true", $email));
        $logged_in = true;
    }
    else {
        $result = pg_execute($dbconn, "query7", array("false", $email));
        $logged_in = false;
    }

I set up the cookie in the handler of the login form.

The declaration of login_cookie at handle_login_form.php

global $login_cookie;
$login_cookie = $_POST['email'] . ',' . md5($_POST['password']);

$result = pg_prepare($dbconn, "query3", 'SELECT passhash_md5 
    FROM users WHERE email = $1;');
$result = pg_execute($dbconn, "query3", array($_POST['email']));

while ($row = pg_fetch_row($result)) {
    $password_original = $row[0];
}

$login_cookie_original = $_POST['email'] . ',' . md5($password_original);

if ( $login_cookie_original == $login_cookie )
{   
    setcookie("login_cookie", $login_cookie);
    header("Location: /codes/index.php?ask_question");
    die("logged in");
}
Léo Léopold Hertz 준영
  • 134,464
  • 179
  • 445
  • 697
  • 6
    Read the manual already... Trust me, it will help way more then posting questions here. At least you'll get a grasp of the language. http://php.net/manual – Andrew Moore Aug 09 '09 at 05:53
  • 1
    Plus, you don't even give us enough information to debug properly... Where is `$login_cookie_original` defined? Where is `$login_cookie` defined? – Andrew Moore Aug 09 '09 at 05:56

2 Answers2

5

You don't even give us enough information to debug properly...

  • Where is $login_cookie_original defined?
  • Where is $login_cookie defined?

Without that information, we can't debug your code properly. You do use setcookie() properly to set the cookie, and then use the $_COOKIE variable to read it.

Sessions would be an easier way to handle a login situation.

You've also been asking lot of very basic questions about PHP and you don't seem to have a grasp on how the language works. I suggest giving the documentation a good read before your next question.

Andrew Moore
  • 93,497
  • 30
  • 163
  • 175
  • 1
    "Sessions would be an easier way to handle a login situation" not to mention they're almost guaranteed to be more secure. – UnkwnTech Aug 09 '09 at 06:04
  • 1
    **@Unkwntech:** Actually, they are not really more secure than using cookies (if cookies done right). Sessions are in fact a glorified cookie. As soon as someone steals your session id, you are pretty much done for, same for cookies. See my answer for more information: http://stackoverflow.com/questions/1221447/what-do-i-need-to-store-in-the-php-session-when-user-logged-in/1225668#1225668 – Andrew Moore Aug 09 '09 at 06:06
  • Your answer suggests me that it is best for me to first get my code working with default cookies, not with Sessions. - When I need extreme security, sessions may help. – Léo Léopold Hertz 준영 Aug 09 '09 at 15:33
  • 1
    No, that's not what I suggests. The less information you send to the client, the better it is. Also, using sessions has the advantage of greatly simplifying your code. Use sessions, not cookies. – Andrew Moore Aug 09 '09 at 16:11
  • 1
    Cookies should be used in a situation where you need read/write from JavaScript and or another web language (like Python). – Andrew Moore Aug 09 '09 at 16:12
  • @Andrew: I am now putting all user info to URL because it has been the only way for me to get my login system to work. - **How would you move the user info in the URL by SESSIONs?** – Léo Léopold Hertz 준영 Aug 10 '09 at 02:46
  • 1
    The link I provided to the Sessions documentation will answer your question way better than I could possibly answer it. Don't be afraid to read it. It is also available in your native language. – Andrew Moore Aug 10 '09 at 05:33
2

You might want to have a look at sessions http://www.tizag.com/phpT/phpsessions.php

John Boker
  • 82,559
  • 17
  • 97
  • 130