Home > Archive > PHP Language > February 2007 > newbie: cookie not visible until next loading
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
newbie: cookie not visible until next loading
|
|
|
| Hey
php 5.2.0
I'm developing a web site by using php. Registered users of the web site can
login to get access to member area. All the pages in the web site contains a
DIV which shows the name of the logged in person. The PROBLEM is that after
a person has logged in the name of the user isn't displayed. But it comes
visible if the user clicks on one pages in the web site...
This is as described in the php manual:
"Cookies will not become visible until the next loading of a page that the
cookie should be visible for."
I'm thinking of creating a dummy page which does nothing but redirect the
user to the correct page. Hope maybe this can solve the problem mention
above... , I'm not sure this is a good approach... maybe you have a better
approach, then please share it with me.. Because I'm stucked in this error
Best Regards
Jeff
| |
|
| I suppose you could have a bit of javascript on your login submit
button, might work, eg:
<FORM>
<INPUT TYPE="button" onClick="history.go(0)" VALUE="RefreshSubmit">
</FORM>
or you could use a header redirect after the setcookie to reload the
page, eg:
setcookie("whatever","whatever")
header("Location: http://www.example.com/"); /* Redirect browser */
| |
|
| Jeff wrote:
> Hey
>
> php 5.2.0
>
> I'm developing a web site by using php. Registered users of the web
> site can login to get access to member area. All the pages in the web
> site contains a DIV which shows the name of the logged in person. The
> PROBLEM is that after a person has logged in the name of the user
> isn't displayed. But it comes visible if the user clicks on one pages
> in the web site...
>
> This is as described in the php manual:
> "Cookies will not become visible until the next loading of a page
> that the cookie should be visible for."
>
> I'm thinking of creating a dummy page which does nothing but redirect
> the user to the correct page. Hope maybe this can solve the problem
> mention above... , I'm not sure this is a good approach... maybe you
> have a better approach, then please share it with me.. Because I'm
> stucked in this error
>
> Best Regards
Well, if the users are logged in they already had a pagechange at login.
It sounds to me the logic to determin wether a user has logged in is done
late in the page, while it should be one of the first to be checked. If the
'login'(check) part of the script is before the logic to display the
username all should be well.
--
Rik Wasmus
| |
| Dennis Kehrig 2007-02-15, 8:00 am |
| Jeff wrote:
> I'm developing a web site by using php. Registered users of the web
> site can login to get access to member area. All the pages in the web
> site contains a DIV which shows the name of the logged in person.
> The PROBLEM is that after a person has logged in the name of the user
> isn't displayed. But it comes visible if the user clicks on one
> pages in the web site...
Sounds to me like you are storing the actual login data as a cookie.
This is bad idea since anyone with access to that computer can read the
cookie value and therefore knows the password.
Or you just send the username, which would be even more insecure,
because then anyone can send a cookie to your website with any username
he wants and be therefore considered "logged in".
You might want to consider using sessions.
http://de3.php.net/manual/en/features.sessions.php
<?php
session_start();
....
if (loginIsCorrect($_POST["username"], $_POST["password"]) {
$_SESSION["username"] = $_POST["username"];
}
?>
Start the session on every page you need security clearance and check
whether $_SESSION["username"] is set. session_start() sends and later
uses a cookie with a session ID so that the session (i.e. the variable
$_SESSION) is restored with every page load. This way, the value you
want to print ($_SESSION["username"]) is set right away.
If you insist on further using just the cookie, then you could do
something like this:
<?php
if (isset($_COOKIE["username"])) {
$username = $_COOKIE["username"];
} elseif (isset($_POST["username"])) {
$username = $_POST["username"];
}
echo '<div class="Username">'.$username.'</div>';
?>
This applies if the name of the form field that contains the username is
"username". Either the cookie is set or the POST value (after logging in).
> This is as described in the php manual: "Cookies will not become
> visible until the next loading of a page that the cookie should be
> visible for."
Yes. Your script sends a header along with the HTML code that sets the
Cookie. Only then the browser knows of the cookie and can send it along
with the next request (which happens when he clicks a link).
> I'm thinking of creating a dummy page which does nothing but redirect
> the user to the correct page. Hope maybe this can solve the problem
> mention above... , I'm not sure this is a good approach... maybe you
> have a better approach, then please share it with me.. Because I'm
> stucked in this error
In most I cases I do a redirect after handling a POST request anyway.
This is to avoid the alert box that pops up if you reload a website that
was requested via POST (try to login, then reload). So you could do it
this way:
if (isset($_POST["username"]) && isset($_POST["password"]))
{
setcookie("username", $_POST["username"]);
header("Location: login_complete.php");
exit();
}
Best regards
Dennis
| |
| Michael 2007-02-15, 6:59 pm |
|
"Dennis Kehrig" <MailNews@DennisKehrig.de> schreef in bericht
news:53j26eF1snulbU1@mid.dfncis.de...
> Jeff wrote:
>
>
> Sounds to me like you are storing the actual login data as a cookie.
> This is bad idea since anyone with access to that computer can read the
> cookie value and therefore knows the password.
> Or you just send the username, which would be even more insecure, because
> then anyone can send a cookie to your website with any username he wants
> and be therefore considered "logged in".
>
> You might want to consider using sessions.
> http://de3.php.net/manual/en/features.sessions.php
>
> <?php
> session_start();
>
> ...
> if (loginIsCorrect($_POST["username"], $_POST["password"]) {
> $_SESSION["username"] = $_POST["username"];
> }
> ?>
>
> Start the session on every page you need security clearance and check
> whether $_SESSION["username"] is set. session_start() sends and later uses
> a cookie with a session ID so that the session (i.e. the variable
> $_SESSION) is restored with every page load. This way, the value you want
> to print ($_SESSION["username"]) is set right away.
>
> If you insist on further using just the cookie, then you could do
> something like this:
>
> <?php
> if (isset($_COOKIE["username"])) {
> $username = $_COOKIE["username"];
> } elseif (isset($_POST["username"])) {
> $username = $_POST["username"];
> }
> echo '<div class="Username">'.$username.'</div>';
> ?>
>
> This applies if the name of the form field that contains the username is
> "username". Either the cookie is set or the POST value (after logging in).
>
>
> Yes. Your script sends a header along with the HTML code that sets the
> Cookie. Only then the browser knows of the cookie and can send it along
> with the next request (which happens when he clicks a link).
>
>
> In most I cases I do a redirect after handling a POST request anyway.
> This is to avoid the alert box that pops up if you reload a website that
> was requested via POST (try to login, then reload). So you could do it
> this way:
>
> if (isset($_POST["username"]) && isset($_POST["password"]))
> {
> setcookie("username", $_POST["username"]);
> header("Location: login_complete.php");
> exit();
> }
>
> Best regards
>
> Dennis
The way I do it:
- On the login page, when the login is correct I set the cookie with
set_cookie and then explicitly fill the corresponding $_COOKIE[...] value.
This will not require any extra code, depending on whether or not the login
took place this page load, either the username is in the $_COOKIE and the
user is logged in, or neither.
- I store not the username, but the User ID in the cookie. From the
password, login information and a hard-coded salt string I then construct a
kind of "hash key" which is stored in another cookie. When a page needs the
user information, I retrieve the user record from the database, construct a
hash key from the password information inside and check it against the
stored cookie. Anyone can read out the hash cookie, but unless they know a)
the user password and b) how the hash key is constructed, it will be of no
use.
Good luck!
Kind regards
Michael.
|
|
|
|
|