Menu
I have a typical login (username, password) and also want to include a 'save my details' check box. The login form Posts its values to login_script.php and if the login is successful, the user is redirected to the main page of the site.
I'm tying to use this method to save the login details
//Remember Me Function
if(isset($_POST['remember_me'])){
// Set a cookie that expires in 24 hours
setcookie("username",$username, time()+3600*24);
setcookie("password",$password, time()+3600*24);
}
Now from what I understand, setcookie("username",$username, time()+3600*24); must be set at the top of the PHP page before any other code is executed.
My issue is that I do not want to set the cookie unless the user has successfully logged in. However due to the set cookie function being called in the middle of the script after the login test, it will not work.
Any ideas? Cheers.
666
For login cookies, there are two common methods of storing login information in cookies: a signed cookie or a token cookie. Signed cookies typically store the user's name, maybe their user ID, when they last logged in, and whatever else the service may find useful.
setcookie('formdata', serialize($formdata), time()+30*24*60*60); After the form has been submitted, the data must go somewhere, possibly in a database (see tutorial 8), in a file, or sent via email.
A cookie doesn't store passwords but keeps a unique identifier for websites to remember you. If you clear your cookies, you'll be logged out of the sites that use them and have to enter your login information again.
First of all: do not save passwords in a cookie! This is a very bad idea security-wise.
As for your problem: there is no way around it, you need to have no output at all before setting your cookie. There are two ways to achieve this:
Solution 1: the login page always redirects
Have your login requests go to a script which sets a cookie (if the login was successful) and then always redirects the user to another page (e.g. a welcome screen, or back to the login page if unsuccessful). The login script will not emit any output, therefore you can set cookies before redirecting.
Solution 2: output buffering
Start output buffering at the beginning of your script. After the check for successful login, set the cookie first and then stop output buffering with something like ob_end_flush.
Personally I consider solution #1 to be more elegant and superior in function.
164
It's a very bad practice to store password in somewhere users have access (on the client side). Worse still, you did not hash or encrypt the password when storing the password (clients can see the password!)
A good security policy is not never allow anyone to see the actual password. Except when the code is working with it.
You can do this instead:
Or you can instead
But I always recommend the former because it's easier to implement and the session handling is done by PHP (unless you're overriding the session handling)
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
