Hi guys, I'm new to php and having a problem. I have my basic login script which is trying to set a cookie. Once a user logs in they are sent to a welcome page and then they must click again for the cookie to load, and to be sent to the main page. The main page outputs info from user table based on the cookie stored. From the examining the code it seems that the cookie is not being set so no info is displaying on my main page. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <?php function func_generate_string() { $auto_string= chr(mt_rand(ord('A'), ord('Z'))); for ($i= 0; $i<8; $i++) { $ltr= mt_rand(1, 3); if ($ltr==1) $auto_password .= chr(mt_rand(ord('A'), ord('Z'))); if ($ltr==2) $auto_password .= chr(mt_rand(ord('a'), ord('z'))); if ($ltr==3) $auto_password .= chr(mt_rand(ord('0'), ord('9'))); } return $auto_string; } function FunJavaScriptRedirection($url) {?> <script type="text/javascript"> window.location = '<?=$url?>' </script> <?} if (isset($_POST['submit1'])) { FunJavaScriptRedirection("http://localhost/register.php"); } if (isset($_POST['submit'])) { // if form has been submitted $con = mysql_connect("localhost","root","*******x"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("ulmundo", $con); if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { $username = $_POST['txtUserId']; $password = $_POST['txtPassword']; // check if the user id and password combination exist in database $sql = "SELECT userid FROM `ulmundo`.`users` WHERE username = '$username' AND password = '$password'"; $result = mysql_query($sql); // or die('Query failed. ' . mysql_error()); if (mysql_num_rows($result) == 1) { // the user id and password match, $user_obj= mysql_fetch_object($result); $user_id= $user_obj->userid; // now generate a random 8 char long string, and hash it with MD5 $logcode= md5(func_generate_string()); // now update users information in the database $result = mysql_query("UPDATE `ulmundo`.`users` SET logcode ='$logcode' WHERE userid = '$user_id'"); // or die('Could not update database.'); // now, let us setup the identification information that will be passed to users computer via a cookie // we will store users ID and LOGCODE in ID:LOGCODE form so that we can later extract it using explode() function $newval= "$user_id:$logcode"; setcookie( cookiename, $newval, time() + 300); // after login we move to the main page FunJavaScriptRedirection("http://localhost/logincongrat.php"); exit; } else { echo("Wrong username or password" ); } } } ?> PHP: I have placed the php code at the start of the login page above html tags. When i run the script to check if the cookie has been loaded it does not enter the if (isset($_COOKIE['cookiename'])) { I have commented out the die conditions in above code but this still did not work. Thanks guys any help would be great
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> HTML: This is killing it. setcookie() must be called before any output is sent, as with any other PHP function that alters headers. You said you placed the PHP above the HTML tags but it seems you forgot one.
I'm sure you changed it for posting here, but I have to mention this just in case. Shouldn't the line: setcookie( cookiename, $newval, time() + 300); be setcookie("cookiename", $newval, time() + 300);
Thanks for the reply guys got it working yeah it was the <!DOCTYPE that was causing the problem cheers
On another note, a safer bet is use a SESSION as your cookie and create and destroy as needed. Cookies can be forged pretty easily. Just a side note.
Never validate users based on cookies. It's not that hard to copy someone else's cookies via XSS or shared computers and forge your own to assume their identity. It's even easier for someone to simply modify their cookies to perform injection attacks on your server if you don't properly sanitize your $_COOKIE variables. This kind of thing is what sessions were made for.