Hi Everyone,

I have created a simple script to handle logging in and out of an admin area. Everything was good, until I start to show it off to a design client. While trying to logout of the software, the script wouldn't log out. Perhaps it's a cookie issue unique to Vista?

Anyhow, both the login and logout parts of the code are included below. If anyone notices something that may affect Vista users, I would highly appreciate it if you could point it out.

This is not the full code, so if it is missing a curly... That's not the problem!

<?php
include ("config.php");
# Include the config.php file

if (empty($online['id'])){
# If they're not logged in already
if ($_POST['Login']) {
# If the login was made

$user = clean($_POST['username']);
# clean the username
$pass = clean($_POST['password']);
# clean the password

if (!$user | !$pass) {
# if either of the fields are empty
$errormessage = "You left a field blank.";
include ("./templates/tpl_login.php");
die();
} else {

$pass = md5($pass);

/*
Make the password a hash so hopefully it'll
be equal to atleast one of the passwords in
the database
*/

$sql = "SELECT * FROM `admin` WHERE username = '$user' AND password = '$pass'";
$result = mysql_query($sql);

$row = mysql_fetch_array($result);

$rights = $row['rights'];

# Select the row of the user logging in
if (mysql_num_rows($result) == 1){
# If a row with the right information is found...

$expire = time() + 60*15;
# Well set an expire time for the cookie, in this case a week.

setcookie("username", $user, $expire);
# Set a cookie for the username
setcookie("password", $pass, $expire);

setcookie("rights", $rights, $expire);


$pagename = "FPA Manager - Main Menu";
include ("./templates/tpl_header.php");

include ("./templates/tpl_redirect.php");

} else {
# If no rows were found with the given information

$errormessage = "Incorrect username or password. " . $pass;
include ("./templates/tpl_login.php");

}

}

} else {
# The form wasn't submitted
include ("./templates/tpl_login.php");
die();
}

} else {

//IF P IS NOT DEFINED SHOW HOMEPAGE
if ($_GET['p'] == '') {
$pagename = "FPA Manager - Main Menu";
include ("./templates/tpl_header.php");
if($_COOKIE['rights'] == 'super') {
include ("./templates/tpl_index.php");
} else {
include ("./templates/tpl_index_2.php");
}
}

//IF P EQUALS LOGOUT, THEN LOG THEM OUT

elseif ($_GET['p'] == 'logout') {

setcookie("username", "", 0);

setcookie("password", "", 0);

setcookie("rights", "", 0);

$online['id'] = '';

echo '<meta http-equiv="Refresh" Content="0; URL=index.php">';
echo '<div align="center" style="font14Bold">You have been logged out, you are being redirected...</div>';
die();
}

Might be helpful if I include the important code in the config.php

$uname = addslashes($_COOKIE['username']);
# get the username cookie
$pword = addslashes($_COOKIE['password']);
# get the password cookie
$urights = addslashes($_COOKIE['rights']);

$query = "SELECT * FROM `admin` WHERE username = '".$uname."' AND password = '".$pword."'";
# set a query

$online = mysql_fetch_array(mysql_query($query));
# set an array to get any stored information we want about the browsing user

After the Meta refresh, try running

<?php

print_r($_COOKIE);

?>


to see what the actual contents of the cookies are.

Heh, that looks so messy :) Here are some drunk comments - excuse my hiccups.

1. do not include (config.php) if it is important do require (config.php)
2. do not bother with cookies. PHP sessions are much prettier to use.


if (login form submited) {
$_SESSION['luser'] = new Luser ();
if ($_SESSION['luser']->login ($_POST['username'] , $_POST['password'] ) ){
// user is logged in

}else{
// login attempt failed
}


// and later

if ($_SESSION['luser']->user_id ) {
// this user is logged in , we can show him secrets


}else{
// no secrets for you, redirect to login form
}

// and even later

if (logout form submited ) {
$_SESSION['luser'] = new Luser ();
// or
$_SESSION['luser']->logout ();
}


only part you are missing there would be class Luser

class Luser{

function Luser(){
$this->user_id = '';
$this->rights= array ();
}

function login ($username, $password) {
$query = " SELECT id, ... where usernaeme and password ... "
$res = run db query ;
if ($r = get assoc result row ($res) ) {
$this->user_id = result_row [id ]
.....
// you could populate rights array here in some way
$his->rights = ..... ;
}

}

function logout (){
$this->user_id = '' ;
// you can kill another vars you set for this object here
// re-initiating object might be easier
}

// you can extend this to handle more stuff
function create (...) { // make new user account
}

.....
}

Check and see if you have enabled cache in your php code. This happened to me before, and I got rid of it by using an alternative to cache.. sessions.

Vista is not something that requires special code for lol,

it would be something in your code if it wasn't something that one of the above posted

Vista is not something that requires special code for lol,
No one said special code. Every browser and operating system can deal with cache differently.

Use this to unset the cookies:


setcookie("username", "", time() - 3600);
setcookie("password", "", time() - 3600);
setcookie("rights", "", time() - 3600);

another thing I've noticed:

$sql = "SELECT * FROM `admin` WHERE username = '$user' AND password = '$pass'";
//......
setcookie("username", $user, $expire);
# Set a cookie for the username
setcookie("password", $pass, $expire);


Why would you want to store these two info to cookie and use it for authentication? Isn't this a security risk to your application? :)

Thanks Sasha,

I am going to switch it over to sessions rather than cookies.

Thanks everyone else for their insight!