Simple PHP login with cookie -


i have begun developing simple php login asks password allow access website. creates cookie allow continued access until user closes browser window.

at top of each page check cookie:

<?php      if(!isset($_cookie['authorised']) || ($_cookie['authorised'] != 'true'))     {         include('login.php'); exit;     }  ?>

if don't exit , show login form:

<?php      function pageurl()     {         $pageurl = 'http';         if ($_server["https"] == "on")         {             $pageurl .= "s";         }         $pageurl .= "://";         if ($_server["server_port"] != "80")         {             $pageurl .= $_server["server_name"].":".$_server["server_port"].$_server["request_uri"];         }          else         {             $pageurl .= $_server["server_name"].$_server["request_uri"];         }         return $pageurl;     }      $pageredirect = pageurl();      if(isset($_post['password']) && ($_post['password'] == 'qwe123'))     {         setcookie('authorised', 'true'); header("location:$pageredirect",303);     }     else     {         include('noaccess.php'); exit;     }  ?> <form action="<?php echo pageurl(); ?>" method="post"> <input type="password" name="password" />                 <input type="submit" title="i agree" value="i agree" name="submit" />             </form>

the current php old warning page when had agree access site, want modify work simple form if user types password example 'qwe123' create cookie , redirected page have access because of cookie. if wrong page included , exited.

can me this? thanks

please don't try store things "authenticated" in client side cookie; that's incredibly insecure. user can modify in cookie - in case, cookie in browser settings , edit set "authenticated" true. logged in, without username or password.

have @ php's session management functions. should create session , store secure information server side, not client side.

an example using sessions following;

<?php session_start();  $secretpassword = 'qwert1234'; $secretusername = 'foobar';  if ($_session['authenticated'] == true) {    // go somewhere secure    header('location: secure.php'); } else {    $error = null;    if (!empty($_post)) {        $username = empty($_post['username']) ? null : $_post['username'];        $password = empty($_post['password']) ? null : $_post['password'];         if ($username == $secretusername && $password == $secretpassword) {            $_session['authenticated'] = true;            // redirect secure location            header('location: secure.php');            return;        } else {            $error = 'incorrect username or password';        }    }    // create login form or    echo $error;    ?> <form action="login.php"><input type="text" name="username" /><input type="text" name="password" /><input type="submit" value="login" /></form> <?php }

it's pretty ugly example, covers meat of it

  • if user logged in already, secure stuff (of course, secure.php script should verify user logged in)
  • if user not logged in, have submitted form, check details
    • if username/password incorrect, set error messagee
    • if username/password correct, send them secure place
  • display error message, if set
  • display login form

you run session_start() before sending other output; stores session cookie on client side, stores identification number on client side. other data stored on server side, cannot modified user.

there several parameters can set on improve security, including httponly (prevents cookie being accessed via javascript, helps against xss attacks) , secure (only transfer cookie on ssl). these should enabled if possible.


Comments

Post a Comment

Popular posts from this blog

asp.net - repeatedly call AddImageUrl(url) to assemble pdf document -

i'm using abcpdf , i'm curious if can recursively call addimageurl() function assemble pdf document compile multiple urls? something like: int pagecount = 0; int theid = thedoc.addimageurl("http://stackoverflow.com/search?q=abcpdf+footer+page+x+out+of+", true, 0, true); //assemble document while (thedoc.chainable(theid)) { thedoc.page = thedoc.addpage(); theid = thedoc.addimagetochain(theid); } pagecount = thedoc.pagecount; console.writeline("1 document page count:" + pagecount); //flatten document (int = 1; <= pagecount; i++) { thedoc.pagenumber = i; thedoc.flatten(); } //now try again theid = thedoc.addimageurl("http://stackoverflow.com/questions/1980890/pdf-report-generation", true, 0, true); //assemble document while (thedoc.chainable(theid)) { thedoc.page = thedoc.addpage(); theid = thedoc.addimagetoc
Read more

java - Android recognize cell phone with keyboard or not? -

in android app, want detect user's device if device has keyboard(like motorola milestone) , show corresponding user interface. guys know how that? ! regards justicepenny http://developer.android.com/reference/android/content/res/configuration.html public int keyboard the kind of keyboard attached device. 1 of: keyboard_nokeys, keyboard_qwerty, keyboard_12key. that's it!
Read more

iphone - How would you achieve a LED Scrolling effect? -

how achieve led scrolling effect example below? led sign - led ticker emulator iphone , ipad http://img.skitch.com/20101201-rsfh4p1bajb1wp94k466pdpiuj.preview.jpg sometimes remunerates comment in other posts :) have put code you, should implement font '8pin matrix' realistic feeling. uilabel *label; - (void)viewdidload { [super viewdidload]; label = [[uilabel alloc]initwithframe:cgrectmake(10, 50, 300, 20)]; label.font = [uifont fontwithname:@"courier-bold" size:16.0]; label.backgroundcolor = [uicolor blackcolor]; label.textcolor = [uicolor greencolor]; label.linebreakmode = uilinebreakmodecharacterwrap; // otherwise "…" label.text = @"this led text scrolled "; // blanks space between [self.view addsubview:label]; [nstimer scheduledtimerwithtimeinterval:0.12f target:self selector:@selector(scrolllabel) use
Read more