Geek Answers Handbook

Simple PHP login with cookie

I started developing this very simple PHP login that asks for a password to access a website. It also creates a cookie, allowing access to continue until the user closes his browser window.

At the top of each page, I check the cookie:

<?php if(!isset($_COOKIE['authorised']) || ($_COOKIE['authorised'] != 'true')) { include('login.php'); exit; } ?>

If they do not, I will exit and show the login form:

 <?php function pageURL() { $pageURL = 'http'; if ($_SERVER["HTTPS"] == "on") { $pageURL .= "s"; } $pageURL .= "://"; if ($_SERVER["SERVER_PORT"] != "80") { $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"]; } else { $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; } return $pageURL; } $pageRedirect = pageURL(); if(isset($_POST['password']) && ($_POST['password'] == 'qwe123')) { setcookie('authorised', 'true'); header("Location:$pageRedirect",303); } else { include('noaccess.php'); exit; } ?> <form action="<?php echo pageURL(); ?>" method="post"> <input type="password" name="password" /> <input type="submit" title="I agree" value="I agree" name="submit" /> </form>

The current PHP from the old Warning page, when you need to agree to access the site, I want to change it to work with a simple form, so that if the user enters a password, for example, "qwe123", they create a cookie, and then are redirected back to page, but now have access due to cookies. If they are mistaken, another page is included and completed.

Can someone help me? Thanks

+4
source share
2 answers

Please do not try to store things such as "authenticated" in the cookie side of the client; which is incredibly unsafe. The user can change something in the cookie - so in this case I could look for the cookie in my browser settings and then edit it to set "authenticated" to true. Then I will log in without a username or password.

Take a look at the PHP session management features . You must create a session and save it on the secure information server side, not on the client side.

An example of using sessions is as follows:

 <?php session_start(); $secretpassword = 'qwert1234'; $secretusername = 'foobar'; if ($_SESSION['authenticated'] == true) { // Go somewhere secure header('Location: secure.php'); } else { $error = null; if (!empty($_POST)) { $username = empty($_POST['username']) ? null : $_POST['username']; $password = empty($_POST['password']) ? null : $_POST['password']; if ($username == $secretusername && $password == $secretpassword) { $_SESSION['authenticated'] = true; // Redirect to your secure location header('Location: secure.php'); return; } else { $error = 'Incorrect username or password'; } } // Create a login form or something echo $error; ?> <form action="login.php"><input type="text" name="username" /><input type="text" name="password" /><input type="submit" value="login" /></form> <?php }

This is a pretty ugly example, but it covers his meat

  • If the user has already registered, do the safe stuff (of course, secure.php script should also make sure the user is registered)
  • if the user is not logged in, but they submitted the form, check their details
    • If the username / password is incorrect, set the error message
    • if the username / password is correct, send them to a safe place.
  • display error message if set
  • display login form

Run session_start () before sending any other result; this stores a client-side session cookie that only stores the client-side identification number. All other data is stored on the server side, so the user cannot change it.

There are several parameters that you can set to increase security, including httponly (prevents access to cookies through javascript, helps against XSS attacks) and is protected (only cookie transfers over SSL). They should be included, if possible.

+10
source

Just submit the form to the page where you verify the password, and it should work fine.

However, you may need to change $_SERVER["REQUEST_URI"]; to a more specific page, as it will just be the page that you are currently on (the page the form was sent to).

0
source

More articles:


All Articles