PHP Cookies not working

Question

I am building a website with logins. I have sessions working fine but I need to be able to keep them logged in if the click remember me. Currently I have the login script saving a cookie with the Username and Password they type to some cookies. I the below script $username and $password are set higher in the script. The $_SESSION variables are getting set fine. And I know the script is going into the if statement because before I place a alert box in there.

login.php

while($row = mysql_fetch_array($getLoginResults))
{
    $error = "Login Successful";
    $_SESSION['Username'] = $_POST['username'];
    $_SESSION['Password'] = $_POST['password'];
    if($keep == 1)
    {
        setcookie("Username", $username, time()+3600*24*30);
        setcookie("Password", $password, time()+3600*24*30);
    }
}

When I check the login, I have a javascript alert so I knoe the cookie is set but the alert box is coming up empty.

check_login.php

echo "<script>alert('".$_COOKIE['Username']."')</script>";

What am I missing???

Not an answer to your question, but do not do this, ever! Storing the password in a cookie is a cardinal sin. You should read up on how to deal with sessions the right way (with a session ID) — Pekka, Oct 09 '13 at 00:15
The username and password is not the actual one, its only what the user types in. — Tom Hanson, Oct 09 '13 at 00:16
Re your specific problem, my suspicion would be the cookies are never set. Are you 1000% sure your condition is ever fulfilled and the lines setting the cookies ever run? You could do a test output (just an `echo "something";` really) to find out. — Pekka, Oct 09 '13 at 00:17
" its only what the user types in" So, it's the user's password, correct? — Paul Dessert, Oct 09 '13 at 00:17
Ok I'm getting a lot of flak for doing it this way, how else do I keep the user logged in when I am not hosting the site myself so I don't have control over the GC — Tom Hanson, Oct 09 '13 at 00:19
$username and $password are not defined. Maybe you meant to set those as $_SESSION['Username'] and $_SESSION['Password']? — Kai Qing, Oct 09 '13 at 00:20
The normal approach is to have a database table that keeps track of which session ID successfully logged in when. To find out whether a user is logged in, you take his session ID, look whether there's an entry for it in the table, and when the user's last activity was. (You want the login to expire eventually so you can't reuse a days-old session) — Pekka, Oct 09 '13 at 00:23

score 15 · Accepted Answer · answered Oct 09 '13 at 00:33

15

Try using setcookie with a a path specified, this used to catch me out, as it assumes the current path by default. Using / will make the cookie work for the whole domain

setcookie("Username", $username, time()+3600*24*30, '/');

answered Oct 09 '13 at 00:33

bumperbox

10,166
6
43
66

Thank you, this worked great. I thank you for answering with attacking me on my coding. I'm a new coder. For all the rest who commented... I will look into placing it in a table in the database – Tom Hanson Oct 09 '13 at 00:36
1

I don't think anyone is trying to attack you, they are just trying to help by alerting you to the security implications. – bumperbox Oct 09 '13 at 00:40

score 2 · Answer 2 · answered Oct 09 '13 at 00:24

2

You are writing a script code with PHP. PHP can only know the data that is sent with the request.

If you first set a cookie and then fetch data from $_COOKIE, the data is not yet there. First the browser must accept the cookie, and then send it back on the next request.

If you use Javascript instead and fetch the documents cookies from the browser, it would work.

And now the disclaimer

Never ever store the login credentials (username and password) as plain text in permanent cookies!

If done right, you create a long random string from a cryptographically secure random number generator (that means you do NOT use rand() or mt_rand()), store it in the cookie, and also in the database. This random string now is a replacement for username and password when it comes to checking credentials.

answered Oct 09 '13 at 00:24

Sven

69,403
10
107
109

Thank you for writing this in a non abusive way. :D I am storing the password after it is crypted, is that ok? – Tom Hanson Oct 09 '13 at 00:29
The fetching of the cookie is inside a different script to the setting. – Tom Hanson Oct 09 '13 at 00:30
No, that is also not ok, because you are giving away the info of how your passwords are hashed - and if someone steals your database with usernames and hashes, he can instantly use the hashes to log in, because the hash is in the remember-me cookie. **Do not roll your own security mechanism** – Sven Oct 09 '13 at 00:33
Ok thanks for that, I will fix this up asap. The websites not live yet so I have time. :D – Tom Hanson Oct 09 '13 at 00:46

score 1 · Answer 3 · answered Oct 09 '13 at 00:21

1

Seems like $keep came from nowhere. If you used a checkbox for $keep variable, you can do the following.

<?
$keep = isset($_POST['keep']);
if ($keep) {
    .... // cookie set up
}
?>

answered Oct 09 '13 at 00:21

Kita

2,604
19
25

He probably has keep defined above the loop. Aside that, don't open php with just - use PHP – Kai Qing Oct 09 '13 at 00:22
Sorry for off topic but why `` – Kita Oct 09 '13 at 00:24
@Kita - some servers dont have it enabled – Paul Dessert Oct 09 '13 at 00:24
The discussion is here: [Are PHP short tags acceptable to use?](http://stackoverflow.com/q/200640) – Pekka Oct 09 '13 at 00:24
can be interpreted as xml for one – Kai Qing Oct 09 '13 at 00:24
@relentless but have you ever actually seen such a server in real life? I haven't. (But yeah, I guess if you want to build portable software, there's no way around long tags) – Pekka Oct 09 '13 at 00:24
1

@Pekka웃 - Yep, once. It's a rare case and probably only valid if you're distributing code. – Paul Dessert Oct 09 '13 at 00:25
@Kai that doesn't make sense - when the HTML is output, any mention of a PHP ´` will have been parsed out. The problem is the other way round - the PHP parser will try to interpret XML ``s and cause trouble – Pekka Oct 09 '13 at 00:25
Just regurgitating. I've never seen anyone defend the use of but everyone backs – Kai Qing Oct 09 '13 at 00:26
PSR-1 standard, paragraph 2.1: "PHP code MUST use the long `` tags or the short-echo `= ?>` tags; it MUST NOT use the other tag variations." – Sven Oct 09 '13 at 00:27

score 0 · Answer 4 · edited May 23 '17 at 11:46

0

Its better to use Jquery/Javascript to set cookie in browser. I find it easier in jquery than PHP.

Create, read, and erase cookies with jQuery

edited May 23 '17 at 11:46

Community

1
1

answered Oct 09 '13 at 00:49

Manoj Kumar

61
3
5

score -1 · Answer 5 · edited Nov 15 '19 at 20:33

See How cookie works

index.php

    <!DOCTYPE html>
    <html>
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <title>Himel Sarkar</title>
        <link rel="stylesheet" href="">
    </head>
    <body>

    <?php 


    setcookie("username","Himel Sarkar",time()+100);




    echo "This cookie is valied for 100 sec ";

     ?>
    <a href="welcome.php">Next Page</a>
    </body>
    </html>

welcome.php

    <?php 

    echo $_COOKIE['username']."<br>";

     ?>
     <h4> If you go previous page then new cookie will genarate  <a href="index.php">Previous Page</a></h4>

PHP Cookies not working

5 Answers5

And now the disclaimer

Linked