php $_COOKIE['']; not setting. exactly :/

[shortysbest]

I am trying to make a login using cookies, I had been using sessions but i need to use cookies for it now. I have a page called login.php, and i use ajax to login. It seems to be setting the cookie and printing the value of it out when i login, however that's about it. When i'm reading the cookie on other pages it doesn't appear to recognize a cookie. However, If i set the cookie on just a regular index page it has no problem with setting it and reading it. it works fine when i do that.

 

This is how i set the cookie on the login page (also the exact code i used to test setting it on the index page):

 

$expire=time()+60*60*24*30;
		setcookie("id", $dbid, $expire);
		$session = $_COOKIE['id'];

 

then to read it on other pages i just use:

 

$session = $_COOKIE['id'];

 

 

[PFMaBiSmAd]

You are not using the 4th and 5th parameter of setcookie(), so the $_COOKIE will only match the exact path and subdomain (www. vs no www. on the URL) where it was set.

 

Also, referencing the $_COOKIE variable immediately after a setcookie() statement won't return the value until after the page has been reloaded because it is the http request from the browser that causes the $_COOKIE variables to be set.

 

And, I hope that $dbid is not just the auto-increment id from your table, because anyone can just set the cookie with any value they want and they could go through a series of numbers and eventually find YOUR id and log in to your site as YOU.

[shortysbest]

oh thanks, setting path fixed it.

 

currently the id is just the auto increment id (since it's not a live site or anything), and this login script was just something i am using for a temporary login until i get to building a full functional login script for a live site.

 

what i was going to do for the id (for cookie) was something like. md5(Email+md5(password)+id)

or something. Not sure what the most secure way about it would be.

[PFMaBiSmAd]

something like. md5(Email+md5(password)+id)

 

^^^ That would produce a fixed/static value for each visitor. Once someone gets a hold of that value they can continue to use it to impersonate the visitor forever.

 

You need to use something like - uniqid, which is essentially what a session id is, so that you can regularly regenerate the value so that if someone does get a hold of the value, they can only use it for a limited amount of time to impersonate the visitor and if you detect that someone other than the actual visitor is using it, you can easily disable the current value and assign a new value when the actual visitor logs in again.

[shortysbest]

oh, thanks. I have only been working with php for like 5 months and haven't gotten to the security features, which I need to soon.

[PFMaBiSmAd]

Another point about using a cookie to 'remember' someone. That's all the existence of the cookie should do, identify the visitor. It should not determine if the visitor is logged in, if he is an admin, or what his privileges are, .... You should 'remember' if the visitor is logged in ONLY using a value stored on the server.

[shortysbest]

Yeah that's all I'm doing, but thanks

[shortysbest]

Hey, I'm back to the point where I want to use uniqid() to tell when a user is logged on, however, i need to store the session id in a cookie as well, to use around the site. So I'm not exactly sure how i should go about this? If i set a cookie with uniqid() how would i assign that id to just that user?