tags:

views:

293

answers:

2

How can you keep track of login status by PHP?

I include the following page to each my page to check the login status. I try to identify the user after he logs in by the cookie. However, I have not managed to read my login_cookie or use it in any way.

The code *handle_login_status.php* where I manipulate the login status

<?php

    $dbconn = pg_connect("host=localhost port=5432 dbname=masi user=masi password=123");

    //1. read the first word in Cookie of the form 
        //"[email protected],ca05106e445c15197f7213bc12648524
    //Then, store this word to $email 
    $cookie_tripped = explode(",", $_COOKIE['login_cookie']);   
    $email = $cookie_tripped[0];
    $result = pg_prepare($dbconn, "query1", 'SELECT passhash_md5 FROM users 
                         WHERE email = $1;');
    $result = pg_execute($dbconn, "query1", array($email));
    if(!$result) {
        exit;
    }

    // to take the passhash out of the cookie
    $passhash_md5_cookie = $cookie_tripped[1];
    if($result == $passhash_md5_cookie) {
        $result = pg_prepare($dbconn, "query7", "UPDATE users SET logged_in = $1
            WHERE email = $2;");
        $result = pg_execute($dbconn, "query7", array("true", $email));
        $logged_in = true;
    }
    else {
        $result = pg_execute($dbconn, "query7", array("false", $email));
        $logged_in = false;
    }

I set up the cookie in the handler of the login form.

The declaration of login_cookie at handle_login_form.php

global $login_cookie;
$login_cookie = $_POST['email'] . ',' . md5($_POST['password']);

$result = pg_prepare($dbconn, "query3", 'SELECT passhash_md5 
    FROM users WHERE email = $1;');
$result = pg_execute($dbconn, "query3", array($_POST['email']));

while ($row = pg_fetch_row($result)) {
    $password_original = $row[0];
}

$login_cookie_original = $_POST['email'] . ',' . md5($password_original);

if ( $login_cookie_original == $login_cookie )
{   
    setcookie("login_cookie", $login_cookie);
    header("Location: /codes/index.php?ask_question");
    die("logged in");
}
+2  A: 

You might want to have a look at sessions http://www.tizag.com/phpT/phpsessions.php

John Boker
+5  A: 

You don't even give us enough information to debug properly...

  • Where is $login_cookie_original defined?
  • Where is $login_cookie defined?

Without that information, we can't debug your code properly. You do use setcookie() properly to set the cookie, and then use the $_COOKIE variable to read it.

Sessions would be an easier way to handle a login situation.

You've also been asking lot of very basic questions about PHP and you don't seem to have a grasp on how the language works. I suggest giving the documentation a good read before your next question.

Andrew Moore
"Sessions would be an easier way to handle a login situation" not to mention they're almost guaranteed to be more secure.
Unkwntech
**@Unkwntech:** Actually, they are not really more secure than using cookies (if cookies done right). Sessions are in fact a glorified cookie. As soon as someone steals your session id, you are pretty much done for, same for cookies. See my answer for more information: http://stackoverflow.com/questions/1221447/what-do-i-need-to-store-in-the-php-session-when-user-logged-in/1225668#1225668
Andrew Moore
Your answer suggests me that it is best for me to first get my code working with default cookies, not with Sessions. - When I need extreme security, sessions may help.
Masi
No, that's not what I suggests. The less information you send to the client, the better it is. Also, using sessions has the advantage of greatly simplifying your code. Use sessions, not cookies.
Andrew Moore
Cookies should be used in a situation where you need read/write from JavaScript and or another web language (like Python).
Andrew Moore
@Andrew: I am now putting all user info to URL because it has been the only way for me to get my login system to work. - **How would you move the user info in the URL by SESSIONs?**
Masi
The link I provided to the Sessions documentation will answer your question way better than I could possibly answer it. Don't be afraid to read it. It is also available in your native language.
Andrew Moore