14 replies to this topic

[welton122]

hi all,

ok i have successfully created a site which uses a PHP login system. The system uses cookies to pass and find out various pieces of information about that user. This works fine when the user is on their home computer, but when i tried it out at college, people found out that once someone logged in, the other user was being logged into that same account. I think this is because each member has a unique number which is passed through the site and used to determine what is shown the user. What i believe to be happening is there is a cookie being stored but instead of it being stored on the individual computer it is being stored on the college server?????? what i need to know is, is that actually possible in the first place and how can i over come it. I was thinking about over coming it via sessions????? not sure if this would work though.

Mainly i was after some advice and possibly tutorials??

Many Thanks,
J

[WingedPanther]

The cookie has to be stored on two computers, the server and the client. What the server does with the cookie is another matter, and can vary widely.

[welton122]

Im sorry but i don't quite understand your post. Can you explain?

[Alexander]

Lets say you login to login.php. You send the username and password to PHP, and Apache will send back a Set-Cookie header. Your browser will store the cookie in its own way, on its own space on the harddrive. This means that browser B cannot see browser A's cookies. Definitely computer B cannot see computer A's cookies.

You may wish to re-test your claim, giving us steps on your actions, to better clarify what is actually wrong in your application logic here to help us.

To clearify one thing though: Your college server may use the same external IP, so in that case it is not advisable to handle people by their IP alone, that may be your (or one along the road) problem.

[welton122]

if the problem is being caused by them having the same external IP, what can be done about this?

[bythos]

Any reason why you dont base your login system off php session?

[welton122]

no there is no reason for that, in fact i am going to use sessions instead of cookies to do this. I will let you know if it works or not.

[Alexander]

Sessions store a session cookie to the user to keep the session alive, cookies should only be used to keep track between sessions (i.e. the browser is closed), such as storing their user ID or choices.

[SoN9ne]

welton122 said:

no there is no reason for that, in fact i am going to use sessions instead of cookies to do this. I will let you know if it works or not.

Good idea. You should be using the PHP session object anyways. Cookies are unsafe and can be easily hacked.
PHP Session does set a cookie to identify the session. You should never rely on cookies for system information, especially logged in status.

You should do some research about session hijacking and fixation.
There is a decent code snippet located here by tedivm at tedivm dot com.
I wrote my own session object using a similar method than the post did. Sessions are perfect for what you need but they do require some finesse.

I won't let any script use a cookie unless it is absolutely necessary... and it's never necessary.
Cookies are as unreliable as $_REQUEST and should be treated the same. I empty both on script processing.

It seems like you are heading in the right direction, hope it works out for ya. :thumbup:

[welton122]

thanks for all the replies, i have altered my site to use sessions instead of cookies (if u wanna check it out then click here). I didn't realize how unsafe cookies where but hey im learning :D.

Many thanks once again.
J

[Alexander]

It's really clean, although when you look at source, the <html> tag ends and there's another doctype, you may wish to fix that! Maybe some weird include() you are doing?

[phpdeveloper]

I have tested your system, in register section there is one error that is one email id different user name it means i can use one email id with different user name and also put captcha to avoid spamming . Why don't you use ajax in register form?