|
|
Posted by Michael on 02/15/07 16:46
"Dennis Kehrig" <MailNews@DennisKehrig.de> schreef in bericht
news:53j26eF1snulbU1@mid.dfncis.de...
> Jeff wrote:
>
>> I'm developing a web site by using php. Registered users of the web site
>> can login to get access to member area. All the pages in the web
>> site contains a DIV which shows the name of the logged in person.
>> The PROBLEM is that after a person has logged in the name of the user
>> isn't displayed. But it comes visible if the user clicks on one
>> pages in the web site...
>
> Sounds to me like you are storing the actual login data as a cookie.
> This is bad idea since anyone with access to that computer can read the
> cookie value and therefore knows the password.
> Or you just send the username, which would be even more insecure, because
> then anyone can send a cookie to your website with any username he wants
> and be therefore considered "logged in".
>
> You might want to consider using sessions.
> http://de3.php.net/manual/en/features.sessions.php
>
> <?php
> session_start();
>
> ...
> if (loginIsCorrect($_POST["username"], $_POST["password"]) {
> $_SESSION["username"] = $_POST["username"];
> }
> ?>
>
> Start the session on every page you need security clearance and check
> whether $_SESSION["username"] is set. session_start() sends and later uses
> a cookie with a session ID so that the session (i.e. the variable
> $_SESSION) is restored with every page load. This way, the value you want
> to print ($_SESSION["username"]) is set right away.
>
> If you insist on further using just the cookie, then you could do
> something like this:
>
> <?php
> if (isset($_COOKIE["username"])) {
> $username = $_COOKIE["username"];
> } elseif (isset($_POST["username"])) {
> $username = $_POST["username"];
> }
> echo '<div class="Username">'.$username.'</div>';
> ?>
>
> This applies if the name of the form field that contains the username is
> "username". Either the cookie is set or the POST value (after logging in).
>
>> This is as described in the php manual: "Cookies will not become visible
>> until the next loading of a page that the cookie should be visible for."
>
> Yes. Your script sends a header along with the HTML code that sets the
> Cookie. Only then the browser knows of the cookie and can send it along
> with the next request (which happens when he clicks a link).
>
>> I'm thinking of creating a dummy page which does nothing but redirect
>> the user to the correct page. Hope maybe this can solve the problem
>> mention above... , I'm not sure this is a good approach... maybe you have
>> a better approach, then please share it with me.. Because I'm stucked in
>> this error
>
> In most I cases I do a redirect after handling a POST request anyway.
> This is to avoid the alert box that pops up if you reload a website that
> was requested via POST (try to login, then reload). So you could do it
> this way:
>
> if (isset($_POST["username"]) && isset($_POST["password"]))
> {
> setcookie("username", $_POST["username"]);
> header("Location: login_complete.php");
> exit();
> }
>
> Best regards
>
> Dennis
The way I do it:
- On the login page, when the login is correct I set the cookie with
set_cookie and then explicitly fill the corresponding $_COOKIE[...] value.
This will not require any extra code, depending on whether or not the login
took place this page load, either the username is in the $_COOKIE and the
user is logged in, or neither.
- I store not the username, but the User ID in the cookie. From the
password, login information and a hard-coded salt string I then construct a
kind of "hash key" which is stored in another cookie. When a page needs the
user information, I retrieve the user record from the database, construct a
hash key from the password information inside and check it against the
stored cookie. Anyone can read out the hash cookie, but unless they know a)
the user password and b) how the hash key is constructed, it will be of no
use.
Good luck!
Kind regards
Michael.
Navigation:
[Reply to this message]
|