Why is cookie never set after login validation?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Franco Cassar
    New Member
    • Jan 2011
    • 13
    #1

    Why is cookie never set after login validation?

    Ok, so far I have always used JSP and Servlets for my web programming, but now I needed to make use of PHP... and I'm stuck at something really basic: setcookie.

    The form works fine, and it checks with the database for the username/pass ok (because when I supply good credentials I return back to the homepage, and with bad credentials it appends the error parameter with the URL).

    Anyway, the cookie is never set. The browser never receives a cookie. This is my login.php.

    Code:
    <?php
$host="*********"; // Host name
$username="****"; // Mysql username
$password="***"; // Mysql password
$db_name="************"; // Database name
$tbl_name="users"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("ERROR: Cannot connect to MySQL Server on 'localhost'.<br/><br/><i>Remember this is only a prototype demo!<br/>Franco</i>");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['uname'];
$mypassword=$_POST['pass'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
//Create cookie
    $hour = time()+3600;
    setcookie('ID_group_planner', $_POST['myusername'], $hour);
    setcookie('Key_group_planner', $_POST['mypassword'], $hour);
    header("location:index.php");
}
else {
header("location:index.php?login_error=1");
}
?>
    Thanks a lot! Really appreciate your help at this.
    Tags: cookie, php, setcookie
    • guillermobytes
      New Member
      • Jan 2010
      • 77
      #2
      are you sure there are no spaces at the beginning of your script, or anything that would be sent before the header(location ...) is called?

      cookies are sent along with headers, so make sure they are set before headers are sent. And make sure headers are not sent before you think they are... :)

      let me know

        Comment

        • Markus
          Recognized Expert Expert
          • Jun 2007
          • 6092
          #3
          See this note.

            Comment

            • Franco Cassar
              New Member
              • Jan 2011
              • 13
              #4
              Well that is the whole script. There is absolutely nothing else in the login.php file. Unless I understood you incorrectly that is.

                Comment

                • Franco Cassar
                  New Member
                  • Jan 2011
                  • 13
                  #5
                  @Markus: Thanks! Let me try :)

                    Comment

                    • Franco Cassar
                      New Member
                      • Jan 2011
                      • 13
                      #6
                      No. Still doesn't create it...

                      Modified code is like this:

                      Code:
                      if($count==1){
//Create cookie
    $hour = time()+3600;
    header("location:index.php");
    setcookie('ID_group_planner', $_POST['myusername'], $hour);
    setcookie('Key_group_planner', $_POST['mypassword'], $hour);
}
else {
header("location:index.php?login_error=1");
}

                        Comment

                        • Franco Cassar
                          New Member
                          • Jan 2011
                          • 13
                          #7
                          Okay solved it. Problem lied in

                          Code:
                          $_POST['myusername']
                          myusername isn't the name of a POST parameter but of fixed version of the username.

                          Thanks for the help though :)

                            Comment

                            • guillermobytes
                              New Member
                              • Jan 2010
                              • 77
                              #8
                              I'm not sure, but i think you should better use your sanitized $myusername variable rather than the $_POST['anything'];
                              I don't know how that could be exploited but, i mean, if you already sanitized your variable, better use it...

                                Comment

                                • Franco Cassar
                                  New Member
                                  • Jan 2011
                                  • 13
                                  #9
                                  Yep. In fact I fixed it to use $myusername instead of the original variable.

                                  Thanks again guys! :)

                                    Comment

                                    • Markus
                                      Recognized Expert Expert
                                      • Jun 2007
                                      • 6092
                                      #10
                                      You wouldn't have needed to post this question had you turned on error reporting ;)

                                        Comment

                                        Previous template Next
                                        Working...