| Author |
Message |
Desbrina
Jadeite
Joined: 11 Jun 2005
Posts: 2963
Location: Earth
|
 Posted: Mon Feb 04, 2008 11:20 am Post subject: checking a cookie |
 |
|
I'm using this to check to see if i'm logged in
| Code: | if($_COOKIE['mttcg']['u'] != 'Desbrina') {
die("Please log in");
} |
Which works fine for me
I'm trying to add a second person to the check. I tried changing it but it always says please log in. Whats the correct way of checking if its either me logged in (Desbrina) or the other admin (Lunix)
_________________
Midnight Tempest - A Sailor Moon TCG
Balanced Force - A Star Wars TCG |
|
| Back to top |
|
| |
ClickFanatic
Est. 2005
Joined: 18 Jan 2005
Posts: 3877
Location: A particular geographic area
|
| Posted: Mon Feb 04, 2008 3:58 pm Post subject: |
|
|
First of all, it is not secure to rely solely on cookies to check the login status of a visitor. A malicious visitor could set their cookie to contain the required value and gain certain permissions you probably do not want to give away.
To find out what is causing your problem, I would recommend taking a look at the way the cookies are set. Make sure that the cookie is set properly when the required conditions are met.
_________________
Captain Jell-O Buster from the Future
[img]http://feeds.feedburner.com/sparepencil.1.gif[/img] |
|
| Back to top |
|
| |
Desbrina
Jadeite
Joined: 11 Jun 2005
Posts: 2963
Location: Earth
|
| Posted: Wed Feb 06, 2008 4:09 am Post subject: |
|
|
I've found out it works fine if i have it like this
| Code: | if($_COOKIE['mttcg']['u'] == 'Desbrina' || $_COOKIE['mttcg']['u'] == 'Lunix') {
} else {
die("Please log in");
} |
but not if i have it the way i had it originally, which i dont understand
| Quote: | | First of all, it is not secure to rely solely on cookies to check the login status of a visitor. A malicious visitor could set their cookie to contain the required value and gain certain permissions you probably do not want to give away. |
Whats another good way to use as well as cookies?
_________________
Midnight Tempest - A Sailor Moon TCG
Balanced Force - A Star Wars TCG |
|
| Back to top |
|
| |
krt
...
Joined: 11 Jan 2005
Posts: 4619
Location: Down Under
|
| Posted: Wed Feb 06, 2008 5:22 am Post subject: |
|
|
| Quote: | | but not if i have it the way i had it originally, which i dont understand |
Probably messed up with not this nor this syntax, it can be a bit tricky.
| Quote: | | Whats another good way to use as well as cookies? |
Not "as well as", cookies should at most be to resume a session, a la "remember me", and backed with a changing hash that expires and/or takes into account user agent and IP. Sessions are the recommended method, www.php.net/sessions |
|
| Back to top |
|
| |
Desbrina
Jadeite
Joined: 11 Jun 2005
Posts: 2963
Location: Earth
|
| Posted: Wed Feb 06, 2008 6:06 am Post subject: |
|
|
my original coding for it was
| Code: | if($_COOKIE['mttcg']['u'] != 'Desbrina' || $_COOKIE['mttcg']['u'] != 'Lunix') {
die("Please log in");
} |
I used to use sessions, but didn't like the fact they expired when you closed the browser, and someone recommended using cookies instead of sessions
_________________
Midnight Tempest - A Sailor Moon TCG
Balanced Force - A Star Wars TCG |
|
| Back to top |
|
| |
krt
...
Joined: 11 Jan 2005
Posts: 4619
Location: Down Under
|
| Posted: Wed Feb 06, 2008 6:56 am Post subject: |
|
|
Your conditional would only accept a string which is both Desbrina and Lunix (which is not possible).
Regarding sessions and expiry times, read what I said again. I took into account expiration of sessions. Basically, sessions are used primarily, but a session can be "resumed" with a cookie. Note that the cookie must be hard to fake, and must have some protection against those that get access to the contents to the cookie, hence the IP and user agent used in hash computation and expiry times. A cookie with username=x doesn't come close to the cut. |
|
| Back to top |
|
| |
|
|
|
Forum FAQs 
Knowledge Base 
Memberlist 
Usergroups 
Hosting
Register
Donate 
Profile 
Log in 
