nightmare with cookies.

[turkman]

basically its a design flaw but im too far into it so im going to have to find a way to get this to work. Basically i have an anonymous board, anyone can post as long as they have cookies enabled.

 

Cookies are key because they help bans and keeping track.

 

The problem is the following. The Admin i.e me needs to have the same cookie no matter where i login from. This is to stop the admin being banned by mods. as that cookie key cant be banned.

 

now any new visitor to the site gets assigned a cookie. So if the admin went to the site he would get a cookie. But when he loggs in i want it to get rid of the old cookie and replace it with his admin cookie

 

so say for argument sake. he goes to the site and gets assigned Cookie1

 

in the login confirm i have

 

setcookie(cook,cookie1, time() -3600);

setcookie(cook,$admincook,time() + 60 *24);

 

after i log in as admin and check the cookie $_COOKIE[cook]; it still displays as cookie1

But for some strange reason when i post a thread the value of $admincook gets stored in the database. However this is only for posting a thread and not for any of the other options, such as asking a question etc.

 

the method of getting the cookie value when posting a thread is the EXACT same...

 

i really don't know why it wont work.

 

my project is over several files and over 15 thousand lines of code. so im not sure what parts i should give you.

 

my main problem is that expiring the cookie and resetting it again straight away doesn't seem to work.

[Alex]

I have a feeling your problem is that you're trying to set the cookie and reading it back in the same request. That won't work because cookies are obtained from the client at the start of the request, and change in the cookies will not be reflected in the $_COOKIE array until the next request.

[turkman]

how can i get around that if at all?

[fortnox007]

Not sure, but getting cookies values in the same request is maybe possible bit javascript, but not sure though.

But just for my interest, what happends if someone steals your admin cookie? 

I certainly don't hope any critical data is in there which I almost think there is. Aren't sessions a better / secure way for your project? Just dropping some throwing some lines here. I am all except an expert, but I just read quite alot

[Alex]

It's not really a limitation unless your code logic is flawed. You should rewrite your logic to get around this. Without seeing your code I can't really be more specific.

 

Honestly, from what you've described about your project there are many fundamental flaws. Anyone who gets banned can take the 2 seconds it takes to clear their cookies and they'll be unbanned. For an anonymous posting system banning IPs is a much better solution.

[turkman]

it bans ips and cookies.

 

i just need a way of when it confirms the username and password ...and retrieves the admin cookie.  for it to replace the already existing cookie value.

[Rifts]

I dont know if this is the solution you are looking for but you could try this..

 

have a "secret" page for you maybe with a simple password protection so like

 

www.yousite.com/admin

 

and if you change computers ALWAYS just go there first and that will give you the "admin" cookie and then browse your site like normal?

[Alex]

it bans ips and cookies.

 

i just need a way of when it confirms the username and password ...and retrieves the admin cookie.  for it to replace the already existing cookie value.

Just overwrite the cookie like you were doing it before. Just be aware that the new value will not be available in $_COOKIE until the next request.

[turkman]

But its not working that way. When i login and set the cookie, i get redirected to the index page. Thats fine.

 

if i browse a few pages - the cookie still displays as the old cookie... i echo'd it out for debugging.

 

if i post a thread... it will use the admin cookie

 

if i ask a question in the faq page it wont allow me because i am a new user... meaning that its determined my cookie is new and not the admin cookie.

 

The only difference is which php file im getting the cookie from. All use the same method, but its written in different files if that makes a difference?

 

You can see the site here.

 

www.imgboard.co.uk

[Alex]

Can you post the actual code you're using? Here's a few things you should look into:

• You don't need to set the cookie to expire and set a new one, simply overwrite the value of the previous one
  
• Make sure that you're using quotes when you should. Strings should be surrounded in quotes.
  
• Make sure that you're not accessing the website through both www. including and www. excluding URLs. Doing such will result in two different cookies to be created.
  

 

[turkman]

ok well in index.php which shows the old cookie i use

 

$ip = $_SERVER["REMOTE_ADDR"];
$c = $_COOKIE['supercookie'];
  if(isbanned($ip,$c)){
  
                
                
               You_are_banned();
        
  }
  
  else{

///#######vookieset end#######
add_notice($_COOKIE['supercookie']);

 

in functions.php which is a background include file i use

 

if(isset($_SESSION['lv'])){
      
      $lv = $_SESSION['lv'];
   
   }
   else{
   
      $lv = 0;
   
   }
   $s = $_COOKIE['supercookie'];

[Alex]

That doesn't really help much. From what you're describing it sounds like the problem I outlined above. Are you using both www. and non www. URLs to access parts of the website? It's suggested that you keep it all consistent and force one or the other (you can do this using .htaccess), and this is one reason why.

[turkman]

i dont believe that is the cause, because i just changed to mod rewrites and i had to go through all the links and replace them with the full link http://wwww.  etc.

 

every link to every page and even in the background have the same full link.

 

i understand its hard to help, don't worry about it. As i say there is just too much code and it jumps from page to page and function to function so i wouldn't even like to begin trundling through it to show the path each process takes.

 

its annoying because it just seems like such a basic problem.