php: setting cookies and retrieving them?

Question

I'm making a login system with php, and when I submit the correct information, it set's a cookie. the form action sends to the same page, wich has an isset cookie verification on top, but since cookies need a refresh after they're set, you need to refresh page another time so it can notice that cookies are there.

what's a workaround for it? here's my code (where username and password are "admin" just as a placeholder. when I get the system working, I'll pull values from database.)

<?php 
if(isset($_COOKIE['user']))
{ 
echo "Hello, administrator.<br />";
echo "<a href=?logout=yes>logout</a>";
if(isset($_GET['logout']))
{
    setcookie("user", $_POST['username'], time() - 3600); 
}
}
else
{
 if (isset($_POST['submit'])) 
 {
     if (($_POST['username']=="admin")&&($_POST['password']=="admin"))
     {
          setcookie("user", $_POST['username'], time() + 3600); 
     }
     else
     {
         echo "empty field or wrong user/pass.";
     }
 }
 else
 {
     echo "nothing submitted. show form.";
 }
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 
<table border="0"> 
<tr><td colspan=2><h1>Login</h1></td></tr> 
<tr><td>Username:</td><td> 
<input type="text" name="username" maxlength="40"> 
</td></tr> 
<tr><td>Password:</td><td> 
<input type="password" name="password" maxlength="50"> 
</td></tr> 
<tr><td colspan="2" align="right"> 
<input type="submit" name="submit" value="Login"> 
</td></tr> 
</table> 
</form> 

Answer 1

Unless you absolutely need to use a custom cookie, I would suggest to use the $_SESSION global instead. $_SESSION data is available as soon as you set it. But its more important feature is that the data is not stored on the client. What that mean in plain is that the user can never access its data. So it is harder to hack your login system. With a cookie, as other have pointed out, anybody can read and edit the data!

session_start();

if (isset($_GET['logout']))
{
    unset($_SESSION['username']);
}
if ($_SESSION['username'] == 'admin')
{
    echo "hello admin!";
}
else if (($_POST['username']=="admin")&&($_POST['password']=="admin"))
{
     $_SESSION['username'] = $_POST['username'];
}

To use the $_SESSION globals, you need to put session_start() at the beginning of your script (before sending any data). It should solve your problem of redirection at the same time. Note that behind the scene, $_SESSION use a small cookie, but you don't really have to think about it. It only contain a small id.

more information on session

http://www.php.net/manual/en/book.session.php

PS : to be honest, I would still use a redirect here. When you POST a form and press the back button, the browser ask you to send the data again and its annoying. Using a redirect with header("Location: " . $newUrl); remove that annoyance. But just my 2 cents.

Answer 2

You can make your own function to set cookies, ie:

function my_setcookie($name,$value,$expire){
    $_COOKIE[$name] = $value;
    return setcookie($name,$value,$expire);
}

But better idea is to redirect user after successful 'POST' request, so if the page is refreshed, browser won't complain about resending POST data.

Answer 3

$loggedin = false;
if(isset($_POST['submit'])) {
 // Do login checking and set cookies
 $loggedin = true; // if the case
}else if(isset($_COOKIE['username']) && isset($_COOKIE['password'])) {
  // Check if valid login
  $loggedin = true; // if the case
}else{
  // They are not logged in.
}

Then use the veriable $loggedin to see if they are logged in. I suggest making a user class though to handle this, so do you keep using the same code over and over again in your files.