How to create cookies

This topic is locked

How to create cookies	2/11/2008 11:46:16 AM
PHPRunner General questions
L Lisa2006 author Hi Support, I have 2 projects: Project: sample Table 1: transport_mydetails Fields: username, password, ID, etc Project: demo Table 2: transport_mydetails Fields: username, password, ID, etc. *I need to achive the following:* User initially logs in from the sample table using there username and password. User is then redirected to a bespoke page called "\sample\mymenu.php". At the bespoke "\sample\mymenu.php" page the user is presented with a link to At this point i want to user to transparently access the [color="#0000ff"]\demo\transport_mydetails_list.php [color=#000000]without having to enter there login credentials. (Note: both sample and demo projects use the same transportmydetails table to authenticate) So far i have created a cookie at: sample \| Events \| Login Page \| After successful login with the following code: setcookie("username", $username, time()+3600); setcookie("password", $password, time()+3600); header("Location: sample/mymenu.php[/color]"); exit(); When i execute the sample project and enter username & password, i see the contects of the cookie on the local drive. My concerns are that anyone can access the username and password that is displayed in the cookie file. Question:_ Would it be better to create a cookie based on the users ID?. If so how can i achieve this? Thanks in advance Lisa [/color]

Mark as Solved Mark as not solved

9 replies


J	jclout 2/12/2008
	Sorry can't help much I too am just starting to look at COOKIES but : secure Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists. The default is FALSE. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]). http://www.php.net/manual/en/function.setcookie.php So even if your site uses HTTPS/SSL to communicate sensitive data, if the initial cookie was set by set_cookie via HTTP, an attacker listening on the wire could easily spoof a visitor's cookie and gain access to their session. http://bugs.php.net/bug.php?id=40778


L	Lisa2006 author 2/12/2008
	Thank you for your reply and advise. I've seen many sites that do not use HTTPS/SSL to authenticate. Yes this is a potential security issue. This is why i'm asking if using the users ID to create a cookie is better than username/password? My other question is how do i create a cookie based on the users ID? Thanks in advance Lisa


	Admin 2/12/2008
	Lisa, This is why i'm asking if using the users ID to create a cookie is better than username/password? No, using cookies won't give you more security than username/password. My other question is how do i create a cookie based on the users ID? To create a cookie use setcookie PHP function. The name of logged in user is stored in $_SESSION["UserID"] variable. Put your code into Before page processed event.


L	Lisa2006 author 2/12/2008
	Hi Alexey, Sorry i'm new to all this. I'm confused as to how & where the $_SESSION["UserID"] would go. Additionally, i know that just entering the syntax $_SESSION["UserID"] would cause errors. What would i need to do to the syntax to make it right? I'm getting really confused!!! Could somebody PLEASE PLEASE PLEASE just show me the correct syntax, what project needs what code and where..... Thanks Forum!!! Lisa <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=25761&image=1&table=forumreplies' class='bbc_emoticon' alt=':(' />


	Admin 2/13/2008
	Lisa, Question: Would it be better to create a cookie based on the users ID?. If so how can i achieve this? No. This will create a serious security vulnerability in your project. I don't recommend you to do that. If you implement this someone can send cookies UserID=1, 2, 3 etc and read usernames and passwords of all your users. Cookies stored on local disk are protected by operating system. Only the user who received them from the site and Administrator can read them.


L	Lisa2006 author 2/14/2008
	Hi Alexey, Would i be better of creating a cookie based on Session ID or URL encoded session ID. What variable stores the session ID value? and how can this be implemented Thanks Lisa


	Admin 2/14/2008
	Lisa, I'm not really sure what are you trying to do with the Session id. You can find info on PHP sessions here: http://www.php.net/session


L	Lisa2006 author 2/14/2008
	Hi Alexey, I read an article on the following webiste: http://www.howtocreate.co.uk/crosssite.html#sessionurl which suggests that using cookies is not the best practice for what i want to achieve. It advises to use "Encode a session ID in the URL". As previously mentioned i want to simply login using username + password at the sample project. Once authenticated it will redirect me to a bespoke page called \sample\mymenu.php with the sample project. On this page when i click the hyperlink it will redirect me to a new project \demo\transport_mydetails_list.php page. *Here's the problem* When i'm redirected to the the \demo\transport_mydetails_list.php all previously entered information is lost. Should i simply login at the demo project then all details are shown. Note: both the sample and demo projects use the sample transport_mydetails sql table to authenticate. The posting mentioned above, suggests that i should create a session id value and use this variable within the URL to redirect. I have no idea how or where or on what project/event is should enter the appropriate code. Your help and support would be much appreciated. Lisa


	Admin 2/15/2008
	Lisa, to share sessions between two projects located on the same server modify include\dbcommon.php file in both projects. find this line there: @session_start(); and insert this one just before: session_set_cookie_params ( 0, "/");

9 replies

Mark as Solved Reply