Help me "EAT" the cookies

**costas** · 08-24-2006, 06:10 PM

Hi everybody,

I'm making a user authorization site(just for practice) using cookies. The problem is: I write the command "setcookie()", but my browser does not set the cookie. I tested it on three browser with all three have cookies enabled, but it wouldn't work. Whar can I do? Here's the code:

Code:

<?
function doDB()
{
global $conn;
$conn = mysql_connect("localhost", "username", "password") or die(mysql_error());
mysql_select_db("userauth", $conn) or die(mysql_error());
}

function check($user, $pass)
{
global $conn, $sq_res, $user, $pass;
$sq = "select user_id from users where username = '$user' && enc = '$pass'";
$sq_res = mysql_query($sq, $conn) or die(mysql_error());
if (mysql_num_rows($sq_res) == 1)
{
setcookie("user", "$user", 0, "/", "localhost", 0);
setcookie("pass", "$pass", 0, "/", "localhost", 0);
}
}

function auth($auth)
{
if ($_COOKIE[user] == $user && $_COOKIE[pass] == $pass)
{
$auth = "true";
}
}

function logout()
{
setcookie("user", "", time()-1000, "/", "localhost", 0);
setcookie("pass", "", time()-1000, "/", "localhost", 0);
}

?>

Note:

I tried also to set a cookie with the function header()

Any help would be appreciated!

**DimX** · 08-24-2006, 06:39 PM

Code:

function auth($auth)
{
if ($_COOKIE[user] == $user && $_COOKIE[pass] == $pass)
{
$auth = "true";
}
}

Shouldn't there be some quotes? Like:

Code:

function auth($auth)
{
if ($_COOKIE["user"] == $user && $_COOKIE["pass"] == $pass)
{
$auth = "true";
}
}

Try setting error_reporting to E_ALL, it might help.

**costas** · 08-25-2006, 09:39 AM

The problem is not when checking if the cookie exists or not, but when creating it.

**codeexploiter** · 08-25-2006, 10:11 AM

You haven't mentioned about whether you were getting any error/warning messages while executing your script.

As you know Cookies are part of the HTTP header, so setcookie() must be called before any output is sent to the browser. if you place a single output line to the browser before the setcookie() it will give you some warning message and doesn't set the cookies value.

You can try this with a simple php script.

**mwinter** · 08-25-2006, 12:00 PM

Originally Posted by costas

$conn = mysql_connect("localhost", "costas", "thrilos") or die(mysql_error());

It's not a good idea to post your username and password. It's also not very helpful to simply exit if there are database issues. Display a proper, informative error page instead. Don't include technical details; the user doesn't care and won't understand. However, an error page explaining that there is a problem with the server and the site or document is unavailable looks better than a cryptic message generated by the database server. Most importantly, though: displaying database errors shows people how your queries work, and can help hackers determine whether they can inject data into your database.

function check($user, $pass)
{
global $conn, $sq_res, $user, $pass;

You have arguments for that function, but then import global variables with the same name?

setcookie("user", "$user", 0, "/", "localhost", 0);

I should think that the problem is with your "domain", which isn't a domain at all: it's a host name. Even if that isn't the issue, it's a misuse of the cookie attribute. Remove it:

Code:

setcookie('user', $user, 0, '/');  /* $user should already be a string,
                                      so the quotes are unnecessary. */

The purpose of the domain attribute is to enable sharing across domains. Say for example that I have a website (www.example.com) that includes a forum (forum.example.com) and a webmail service (mail.example.com). If users of the forum are automatically assigned a mail account, there's no need for them to log into one, if they've already logged into the other. I could share the cookie that contains their session identifier by using ".example.com" (note the leading dot) as the domain.

Originally Posted by DimX

if ($_COOKIE[user] == $user && $_COOKIE[pass] == $pass)

Shouldn't there be some quotes?

Yes. As it is, the preprocessor will expect "user" and "pass" to be constants defined by define function. At the present moment, PHP will issue a E_STRICT warning if the constant doesn't exist and assume that a string was intended. However, it's conceivable that this will be upgraded to an error in future versions of the language, so it should be avoided.

Mike

**costas** · 09-02-2006, 07:58 AM

Hi again,
Anyone with ideas.

Originally Posted By codeexploiter:
As you know Cookies are part of the HTTP header, so setcookie() must be called before any output is sent to the browser. if you place a single output line to the browser before the setcookie() it will give you some warning message and doesn't set the cookies value.

It doesn't give me any warning or message.

**DimX** · 09-02-2006, 08:18 AM

What is actually the problem, cookies are not set or cookies are set but your script can't get them?

**costas** · 09-09-2006, 09:00 AM

Well, the cookies are set but my system doesn't get them no matter what I do.
Please HELP!!!

Thread: Help me "EAT" the cookies

Thread Tools

Search Thread

Help me "EAT" the cookies

Bookmarks

Bookmarks

Posting Permissions