Hi,

I made a login script which sends the submitted data to this validating php script called "validate.php"

the content of the file is

<?php
include ("admin/db.php");
session_start();
if(isset($_POST['username']) && ($_POST['password']) && ($_POST['remember']))
{
$username = $_POST['username'];
$password = md5($_POST['password']);
$remember = $_POST['remember'];
}
$query = "SELECT username FROM members WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
if ((mysql_num_rows($result) == 1) && ($remember == "yes"))
{
setcookie("MySite_Username", $username);
setcookie("MySite_Logged_In", yes);
setcookie("MySite_Remember", yes);
header("Location: index.php");
}elseif (mysql_num_rows($result) == 1)
{
$_SESSION['logged_in'] = true;
setcookie("MySite_Username", $username);
setcookie("MySite_Logged_In", yes);
header("Location: index.php");
}
else{
header("Location: error.php?id=13");
}
?>

what im trying to do is make a login script with remember me feature

so, if the user clicks "remember me" button, the value comes to this validate.php file and it sets a cookie

unfortunetly, when i close the page and go back and see if the cookie is still there, its not, its gone

how do i fix this?

Looks like you need to put quotes around the value of the cookie and set an expiration time on your cookie, like so:

setcookie('MySite_Remember', 'yes', time()+3600); /* expire in 1 hour */

If you don't set an expiration time on the cookie, it will expire when you close the browser window.

If this doesn't do it, then I'd take a look at the HTML code that calls this page ... make sure you set the values correctly for the "remember me" checkbox (which you describe, I suspect, inaccurately as a button). If the checkbox doesn't return the value "yes," then your cookies wouldn't get set correctly.

Thanks mbridgwater,

It worked like a charmed.

Now i kinda ran into another problem.

You see, if the user selects the option to remember the login for 1hr

the cookie is like this

setcookie('MySite_Remember', 'yes', time()+3600);

perfect.

Now back to one of the page i want to protect. This is how i done it:


<?php

session_start();
if (!isset($_COOKIE['MySite_Remember'] !== "yes") || ($_SESSION['logged_in']) || ($_SESSION['logged_in'] !== true)){
header('Location: index.php?id=login');
}else{
// the protected content, i.e. the main content of the page
}


Now the above code will do this checks

is there a cookie set called "MySite_Remember" and with the value "yes" OR is there a php session set OR is there a php session with the string "logged_in" is equal to "true"

if none of the criteria is met, it will direct the page to login page else if any of the three criteria is met, it will show the protected content

unfortunetly, it isnt working

the idea and the logic behind the coding seems right, but can someone help me debug it plz, its driving me nuts :angry:

What do you think will happen when someone writes this in the username field?

'; DELETE FROM members; --

ohh, im not too sure, but let me guess, some user's record might be deleted?

if so, how could i patch security holes like this?

im sorry, im a noobie and not very well aware of the possible security holes from my coding...

See http://www.php.net/manual/en/function.mysql-real-escape-string.php

With regards to mikaelhg suggestion, I've re-coded my login validating php script to prevent SQL-Injection.

<?php
include ("admin/db.php");
session_start();
if(isset($_POST['username']) && ($_POST['password']) && ($_POST['remember']))
{
$maxUserNameLen = "15";
$maxRememberLen = "3";
$str_username = substr($_POST['username'],0,$maxUserNameLen);
$username = mysql_real_escape_string($str_username);
$password = md5($_POST['password']);
$str_remember = substr($_POST['remember'],0,$maxRememberLen);
$remember = mysql_real_escape_string($str_remember);
}
$query = "SELECT username FROM members WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
if ((mysql_num_rows($result) == 1) && ($remember !== ""))
{
setcookie("TamilLondon_Username", $username, time()+43200);
setcookie("TamilLondon_Remember", yes, time()+43200);
header("Location: index.php");
}else{
$_SESSION['logged_in'] = true;
setcookie("TamilLondon_Username", $username);
header("Location: index.php");
}
?>

My only worry is that the protected pages arent working like they should be when the user selects the option "Remember Me"

for e.g. if user logins normally and visit throught the pages, it works great, when they close the page and comes back to view the page, it ask for the login again,

this is how im protecting the pages depending if the cookie Remember => yes

<?php

session_start();
if (!isset($_COOKIE['MySite_Remember'] !== "yes") || ($_SESSION['logged_in']) || ($_SESSION['logged_in'] !== true)){
header('Location: index.php?id=login');
}else{
// the protected content, i.e. the main content of the page
}

?>

Any idea how i can solve this?

Maybe cookies are disabled, or maybe permissions are wrong in the user's cookie directory (this happened to me while testing cookies once, and it took me 4 hours to figure it out!)

Oh, and just to be certain, are you storing the 'MySite_Remember' value as 'yes' and not 'Yes' or 'YES'? You are doing an exact case-sensitive comparison in your test, so the two have to match.

Just a couple of thoughts.

im storing the value "yes" in lower case

I'm pretty sure your problem lies in the if statement:

!isset($_COOKIE['MySite_Remember'] !== "yes") || ($_SESSION['logged_in']) || ($_SESSION['logged_in'] !== true)

I think it should be:

$_COOKIE['MySite_Remember'] != "yes" || ($_SESSION['logged_in']) || ($_SESSION['logged_in'] !== true)

You cannot include a test inside of an isset function.

I'm not sure if that will work, but I'm 99.9% sure this will:

session_start();
if (!isset($_COOKIE['MySite_Remember'] !== "yes") || ($_SESSION['logged_in']) || ($_SESSION['logged_in'] !== true)){
header("Location: validate.php?page=" . $_SERVER['PHP_SELF']);
}else{
// the protected content, i.e. the main content of the page

validate.php:
<?php
include ("admin/db.php");
session_start();

if($_COOKIE['TamilLondon_Remember'] == "yes" && strip($_GET['page']) != "" $_SESSION['logged_in'] !== true) {
$_SESSION['logged_in'] = true;
setcookie("TamilLondon_Username", $_COOKIE['TamilLondon_Username'], time()+43200);
$_SESSION['logged_in'] = true;
header("Location: http://www.yourdomain.com" . $_GET['page']);
}

if(isset($_POST['username']) && ($_POST['password']) && ($_POST['remember']))
{
$maxUserNameLen = "15";
$maxRememberLen = "3";
$str_username = substr($_POST['username'],0,$maxUserNameLen);
$username = mysql_real_escape_string($str_username);
$password = md5($_POST['password']);
$str_remember = substr($_POST['remember'],0,$maxRememberLen);
$remember = mysql_real_escape_string($str_remember);
}
$query = "SELECT username FROM members WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
if ((mysql_num_rows($result) == 1) && ($remember !== ""))
{
setcookie("TamilLondon_Username", $username, time()+43200);
setcookie("TamilLondon_Remember", "yes", time()+43200);
header("Location: index.php");
}else{
$_SESSION['logged_in'] = true;
setcookie("TamilLondon_Username", $username);
header("Location: index.php");
}
?>

The code might work straight out, but you might have to look over it.

You also must replace www.yourdomain.com with your domain or website path. Just make sure there is no trailing slash. (like http://www.yourdomain.com/ is invailid)

Anyway, hope it helps!

--Brian

Um...

if (!isset($_COOKIE['MySite_Remember'] !== "yes") || ($_SESSION['logged_in']) || ($_SESSION['logged_in'] !== true)){
header("Location: validate.php?page=" . $_SERVER['PHP_SELF']);
}else{

I think the parens are still off. How about:

if (
!isset($_COOKIE['MySite_Remember']) || ($_COOKIE['MySite_Remember'] !== "yes") ||
!isset($_SESSION['logged_in']) || ($_SESSION['logged_in'] !== true)
)
{
header("Location: validate.php?page=" . $_SERVER['PHP_SELF']);
} else
{
// we're in!
}

(I also added an isset($_SESSION['logged_in']) check)

(I also added an isset($_SESSION['logged_in']) check) [/B]

Thanks for your help, just what i was looking for,

also thanks to you, now i know how to use the || (OR) operator properly.. lolz :D

no prob :) happy to help.