Results 1 to 3 of 3
  1. #1
    Join Date
    Jan 2002
    Location
    Ohio
    Posts
    3,155

    Question Cookies for admin area...

    As some of you may know I'm writing a simulated Credit Card system for my site and I have managed to successfully make the admin login section using a MySQL backend. Anyways, how secure would cookies be for the admin section?

    I plan on having the admin page set a cookie upon a successful login and store the username and password in the cookie for the other admin pages to check. If a page detects any inconsistency in the cookie, the person will be sent to the login page.

    Any suggestions? Would cookies be good for this, security wise? The script isnt mission critical, but I don't want security that can be bypassed easily.

    I could prolly use Sessions, but I want to figure out cookies first
    Don't like what I say? Ignore me.

  2. #2
    Join Date
    May 2002
    Location
    UK
    Posts
    2,997
    There is a better way of doing this. Personally I don't like using cookies for storing important information.

    If you are authenticating the username and password via a 401 protocol (the one which pops up a username and password box) either via the server or in PHP then you can access those details on every script call using the SERVER global array

    The variables are called
    $_SERVER['PHP_AUTH_USER']
    $_SERVER['PHP_AUTH_PW']

    An example of PHP authentication is below:

    PHP Code:
    function authenticate() {
        
    header"WWW-Authenticate: Basic realm=\"By Password\"");
        
    header"HTTP/1.0 401 Unauthorized");
        echo 
    "<p><b>Error 401: Unauthorized</b></p>";
        exit;
    }

    if (!isset(
    $_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
        
    authenticate();
    }
    else {
     
    // validate correct username and password here

    Last edited by Rich2k; 09-10-2002 at 06:14 PM.

  3. #3
    Join Date
    Jan 2002
    Location
    Ohio
    Posts
    3,155

    Thumbs up

    Ohh... Thats pretty neat. I've always wondered how to do that

    Thanks a bunch for the code I think I'll use this instead.

    Too bad Apache gives me a Internal Server Error though, but I can still work on it.
    Don't like what I say? Ignore me.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •