|
|
Posted by Dennis Kehrig on 02/15/07 12:31
Jeff wrote:
> I'm developing a web site by using php. Registered users of the web
> site can login to get access to member area. All the pages in the web
> site contains a DIV which shows the name of the logged in person.
> The PROBLEM is that after a person has logged in the name of the user
> isn't displayed. But it comes visible if the user clicks on one
> pages in the web site...
Sounds to me like you are storing the actual login data as a cookie.
This is bad idea since anyone with access to that computer can read the
cookie value and therefore knows the password.
Or you just send the username, which would be even more insecure,
because then anyone can send a cookie to your website with any username
he wants and be therefore considered "logged in".
You might want to consider using sessions.
http://de3.php.net/manual/en/features.sessions.php
<?php
session_start();
....
if (loginIsCorrect($_POST["username"], $_POST["password"]) {
$_SESSION["username"] = $_POST["username"];
}
?>
Start the session on every page you need security clearance and check
whether $_SESSION["username"] is set. session_start() sends and later
uses a cookie with a session ID so that the session (i.e. the variable
$_SESSION) is restored with every page load. This way, the value you
want to print ($_SESSION["username"]) is set right away.
If you insist on further using just the cookie, then you could do
something like this:
<?php
if (isset($_COOKIE["username"])) {
$username = $_COOKIE["username"];
} elseif (isset($_POST["username"])) {
$username = $_POST["username"];
}
echo '<div class="Username">'.$username.'</div>';
?>
This applies if the name of the form field that contains the username is
"username". Either the cookie is set or the POST value (after logging in).
> This is as described in the php manual: "Cookies will not become
> visible until the next loading of a page that the cookie should be
> visible for."
Yes. Your script sends a header along with the HTML code that sets the
Cookie. Only then the browser knows of the cookie and can send it along
with the next request (which happens when he clicks a link).
> I'm thinking of creating a dummy page which does nothing but redirect
> the user to the correct page. Hope maybe this can solve the problem
> mention above... , I'm not sure this is a good approach... maybe you
> have a better approach, then please share it with me.. Because I'm
> stucked in this error
In most I cases I do a redirect after handling a POST request anyway.
This is to avoid the alert box that pops up if you reload a website that
was requested via POST (try to login, then reload). So you could do it
this way:
if (isset($_POST["username"]) && isset($_POST["password"]))
{
setcookie("username", $_POST["username"]);
header("Location: login_complete.php");
exit();
}
Best regards
Dennis
Navigation:
[Reply to this message]
|