Results 1 to 3 of 3
Thread: Cookies for admin area...
-
09-10-2002, 04:09 PM #1is a threadkiller
- Join Date
- Jan 2002
- Location
- Ohio
- Posts
- 3,155
Cookies for admin area...
As some of you may know I'm writing a simulated Credit Card system for my site and I have managed to successfully make the admin login section using a MySQL backend. Anyways, how secure would cookies be for the admin section?
I plan on having the admin page set a cookie upon a successful login and store the username and password in the cookie for the other admin pages to check. If a page detects any inconsistency in the cookie, the person will be sent to the login page.
Any suggestions? Would cookies be good for this, security wise? The script isnt mission critical, but I don't want security that can be bypassed easily.
I could prolly use Sessions, but I want to figure out cookies firstDon't like what I say? Ignore me.
-
09-10-2002, 06:05 PM #2Web Hosting Master
- Join Date
- May 2002
- Location
- UK
- Posts
- 2,997
There is a better way of doing this. Personally I don't like using cookies for storing important information.
If you are authenticating the username and password via a 401 protocol (the one which pops up a username and password box) either via the server or in PHP then you can access those details on every script call using the SERVER global array
The variables are called
$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_PW']
An example of PHP authentication is below:
PHP Code:function authenticate() {
header( "WWW-Authenticate: Basic realm=\"By Password\"");
header( "HTTP/1.0 401 Unauthorized");
echo "<p><b>Error 401: Unauthorized</b></p>";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
authenticate();
}
else {
// validate correct username and password here
}
Last edited by Rich2k; 09-10-2002 at 06:14 PM.
-
09-10-2002, 06:40 PM #3is a threadkiller
- Join Date
- Jan 2002
- Location
- Ohio
- Posts
- 3,155
Ohh... Thats pretty neat. I've always wondered how to do that
Thanks a bunch for the code I think I'll use this instead.
Too bad Apache gives me a Internal Server Error though, but I can still work on it.Don't like what I say? Ignore me.