User Login System With Setcookies

a friend of mine is quite good at php and told me not to use sessions and to use setcookieim not sure how to use setcookie to make a user authentication system and was wondering if anyone here know a tutorial on how to do it

I wrote a tutorial about it (to give the tutorial some more perspective I wrote the full authentication system), It's pending right now, so you'll have to wait until some mod validates it :DI'll post the link once its validated.

ok i will wait for your replyi hope its easy to use

a friend of mine is quite good at php and told me not to use sessions and to use setcookie

149887[/snapback]

Sessions are more secure than cookies.. Cookies get passed back and forth from the client to the server, and can easily be caught as it goes along the network. Anything that is considered 'sensitive' material/data would need to be encrypted before being stored in a cookie.

If shared hosts (like Xisto) concern you and/or you want to avoid possible Session Hijacking techniques, then a better way to protect your sessions is to setup a Custom Session Handler using a DB and store all session data in the DB. Then, with every user privelage escalation (like a Login) you simply regenerate the users Session ID to prevent it from being Hijacked.

 

Also, storing Sessions in a cookie presents other problems as well. Some people disable cookies, forcing get/post alternatives (ever see a long encrypted SessionID in your URL bar?), which could limit the user from seeing your site altogether. Also, many browsers limit the size of the cookies they accept, and to be on the safe side, you should not exceed 4kb (4096 bytes) in a single cookie, otherwise some browsers may truncate the cookie data.

 

Overall, I would recommend utilizing both methods to maximize your security, and you can read up on both of these methods and more at PHP Security Consortium.

 

@Hmmz:

Is it the one entitled "Incredible Secure Authentication"? I would like to see what types of security measures you have considered in your tutorial. I am writing a tutorial myself on Secure Authentication and is quite large to say the least. I am curious to see if our systems are very similar or very distinct!

If it is too similar, I guess you beat me to posting then, 'cause I wouldn't want to post anything like a copy-cat tutorial!

I look forward to reading it!

well with cookies, the site remembers you, but with session, it only remembers you until you close your browser or something like that

anyway i found a pretty decent tutorial and was wondering how i can make a "logout" script and a "whos online" script

http://www.xentrik.net/php/signup/complete.php

the scripts works

see it here

nothing fancy
just added if your logged in it would show you
oh and also say your not logged in, i want it to show the login form but i dont know how to use the if then statement that much

thx

there will be more lots of things you would need to learn..that' s true.i can't know so many code of php i just install lots of php programme then they all use cookies,but not dangerous

ok i found a little script

<?php// grab current time$time=time();// handle the logout eventif ($logout == true) {setcookie ("user", md5($_POST[user]), $time-3200);setcookie ("pass", md5($_POST[pass]), $time-3200);echo "<a href=http://forums.xisto.com/no_longer_exists/ Out!</a>";}// handle validation eventif ($_POST[user] && $_POST[pass]) {mysql_connect(localhost, raptrex_forum, forum) or die(mysql_error()); // Connectionmysql_select_db(raptrex_member) or die(mysql_error()); // Selection of database$user_data = mysql_fetch_array(mysql_query("select id, username, password from users where username='$_POST[user]' and password='$_POST[pass]'"));if ($user_data[id] > 0) {  setcookie ("user", md5($user_data[username]), $time+3200);  setcookie ("pass", md5($user_data[password]), $time+3200);  echo "<a href=http://forums.xisto.com/no_longer_exists/ In!</a>";} else { $login_error= true; }}// handle login event, both successful and erroneous, or show login screenif ($login_error == true) { ?><table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">  <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>  <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=login.php>Back</a></td></tr></table><?} elseif ($_COOKIE[user] == md5($username) && $_COOKIE[pass] == md5($password)) { ?><table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">  <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>  <tr><td align=right><a href=login.php?logout=true>Logout</a></td></tr>  <tr><td>You have successfully logged in.<br><br>   Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>   Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>  </td></tr></table><?} else {?><form action=login.php method=post><table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">  <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>  <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>  <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>  <tr><td align=center colspan=2><input type=submit value=Login></td></tr></table></form><?}?>

im going to include this onto my site
say if im not logged in, it shows the login area
but if im logged in, it says im logged in as whoever im logged in as
how do i do this?

Man, I made a script an post here a looooooooooong time ago. I think the Title was: Login Sistem and Subtitle: With PHP + MySQL. It was a really long time ago. Try to use the search engine.The script is complete, with login, signup, administration, profile, bla blah blah blah It uses cookies and MySQL to save the informations. If I find the link, I'll post here.

http://forums.xisto.com/no_longer_exists/

i found that script that uses sessions and cookies

and was wondering if i was logged in it would say "Logged in as Raptrex"
and if i wasnt it would show the login form

ive tried and it hasnt worked

I wrote a tutorial about it (to give the tutorial some more perspective I wrote the full authentication system), It's pending right now, so you'll have to wait until some mod validates it tongue.gif
I'll post the link once its validated.

hmmz did your tutorial ever get validated cuz i havent seen it in the tutorial section lately

no...sorry..some damn mod (Dooga) insinuated i copied the complete tutorial. I've made several tutorials now and always had the consent of the mods, that they pleed me guilty to plagiarizing is an agressive insult towards me, so forget the tutorial, if mods don't appreciate contributions, then fine.

could you post it here?you'll still get hosting credits

Well, i didn't save it or anything so ill have to start completely over..here goes the 'short' version

 

Step 1: Connect, login and authenticate

Of course, before you start authenticating a user you need a login form that ultimately suits the authentication process, and a config file that sets up a connection to your mysql database and the therein situated usertable, those are a basic thing but do the trick and are self-explanatory:

 

config.php

<?$server = "host";$database = "database name";$db_user = "db username";$db_pass = "db password";$table = "usertable";?>

logform.php

<form action="login.php" method="post">Username: <input type="text" name="username" size="15">Password: <input type="password" name="password" size="15"><input type="submit" value="Log In"></form>

Then you need to create the login.php, wich basically is your authentication page, ill explain everything after the code...:

 

login.php

<?ob_start();include("config.php");// connect to the mysql server$link = mysql_connect($server, $db_user, $db_pass)or die ("Could not connect to server..");// select the databasemysql_select_db($database)or die ("Could not select database");$match = "select id from $table where username = '".$_POST['username']."'and password = '".$_POST['password']."';";$qry = mysql_query($match)or die ("Could not match data because ".mysql_error());$num_rows = mysql_num_rows($qry);if ($num_rows <= 0) {echo "Sorry, there is no username $username with the specified password.<br>";echo "<a href=log_form.php>Try again</a>";exit;} else {setcookie("loggedin", "TRUE", time()+(900 * 1));setcookie("username", "$username");echo "You are now logged in!<br>";echo "Continue to the <a href=members.php>Members</a> area.";}ob_end_flush();?>

allright,

ob_flush() is a function used in php to send the output of the content, known as the output buffer, in this script, it basically sends the output of the authentication to the database, following a full check of the send data.

 

then the script includes config.php, wich is the file used to connect to the server,database and ultimately the table.

 

$link is the variable that actually connects to the database using variables assigned in config.php.

 

then you have to select the database where the usertable is situated following the query to 'get' the username and password inserted in the login fields, then it checks if there's a match, if so, it gives the user the link to the members area, if not, it displays a login error.

 

with a successful login it also sets 2 cookies, one for the successful login and 1 for the user itself, within the usercookie, it also sets the variable $username, if you now anywhere wanna display the users username, you don't have to assign a whole new variable, all you need is $username, wich basically displays the username used with the login.

 

 

Step 1: members area code

We've gone through the whole login and authentication process, but we of course need something on each members page that recognizes and validates the user, this small code checks if the cookie is valid and disconnects or connects (continued)the user if valid or invalid:

<?if (!isset($_COOKIE['loggedin'])) die("You are disconnected!  <a href=\"log_form.php\">Click here</a>"); $username = $HTTP_COOKIE_VARS["username"]; echo "You are connected! Ť $username ť";?>

Put that small piece of code at the top of every members page to secure your members pages.

 

Thats about it, Hope this helps..

and NO dooga, this is not ripped or anything so don't accuse me again, ive never ripped before and i like to keep it that way..

This look original to me, I've never seen this code, I believe its original and that's the bad point of having too many moderator(no hard fellings!)...Maybe try explaining to the admins and show them your work, and ask for justice!!