cookies...[RESOLVED thanks]

Printable View

Jul 29th, 2003, 10:14 AM
yair24

cookies...[RESOLVED thanks]

hello,

I need to make a login page.
back when I used to program in ASP I was reading the username and pasword comparing it to thr one in the databse and if it was correct then I sould setup a cookie with a TRUE value and then in each page I would have check if the cookie exist and if so I would have know that the user is still loged.

when the user closes the browzer the cookie vanished. and the session is over.

so why am I telling you all this?
because in PHP I cannot do that... it tells me to put the SetCookie() function on top of the page so I cannot check the database before puting the cookie...

what can I do?

I hope the question is clear...

thanks
Jul 29th, 2003, 02:26 PM
The Hobo

You can check the database before setting the cookie. You just can't send any output to the browser before setting the cookie.

You could have 200 lines of code before setcookie(), just as long as no output has been sent to the browser.

Which means no echo statements, no HTML before the <?php, no blank lines before the <?php, etc.
Jul 30th, 2003, 01:43 AM
yair24

ok but please answer this:

can I make output in an "if" statement before setting the cookie?

for example: (pseudo code)

if (username != username in databease or password != assword in database)
{
echo "wrong password"

}
else
{
setcookie();
}

is this fine?
Jul 30th, 2003, 01:18 PM
The Hobo

Yes, as the echo statement would not have been called if setcookie is being called. That is perfectly fine.
Jul 31st, 2003, 01:38 AM
CornedBee

How do you know that the cookie vanishes? I could probably set the cookie manually by editing the cookie file and login to your page without a user name or password.
Jul 31st, 2003, 03:27 AM
yair24

so the corect way of doing this is ...

Quote:

Originally posted by CornedBee
How do you know that the cookie vanishes? I could probably set the cookie manually by editing the cookie file and login to your page without a user name or password.

so the corect way to do it is using sessions?
Jul 31st, 2003, 03:50 AM
CornedBee

Something that cannot be faked. A session id is ok.
Aug 1st, 2003, 02:24 PM
The Hobo

I think it would be better to store an encrypted password and username in the cookie rather than a true value.

That way, when a user navigates to the page, the page can check the value of the $_COOKIE['username'] and the $_COOKIE['password'] and compare them to the database.

If the cookies contain invalid data, it will show a login. If they have valid data, it will show the page.

And of course, if the cookies do not exist, it will show a login page.

Code:

if (isset($_COOKIE['username']) && isset($_COOKIE['password'])) { //check to see if a record exists with the encrypted password and user name //if exists //show page and renew the cookie's expiration date //else //clear the invalid cookies and show login //end if } else { //show login }