I have the following code, when a user logs in, they are presented with two text boxes and a checkbox.
Setting the three cookies, username
, password
and remember
all work and the log in script itself is comepletely fine (I appreciate that storing hashed passwords in the cookie isn't best practice but for now it will do).
What happens though, is id the user re-visits the login.php
page (this one) while they are already logged in the cookies are removed one-by-one as the $_POST condition is not being met and therefore the lines below are being executed. How can I prevent this from happening. Also, any suggestions to clean up the code as I will no doubt end up with a lot of repeated code will be appreciated. Thanks
snippet from the 'login.php' page below
} elseif (!$_POST['remember']) {
$past = time() - 100;
if (isset($_COOKIE['remember'])) {
setcookie('remember', '', $past);
} elseif (isset($_COOKIE['username'])) {
setcookie('username', '', $past);
} elseif (isset($_COOKIE['password'])) {
setcookie('password', '', $past);
}
}
login.php
<?php
session_start();
include("includes/config.php");
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<?php
$odb = new PDO("mysql:host=" . DB_SERVER . ";dbname=" . DB_NAME, DB_USER, DB_PASS);
$username = "";
$password = "";
if (isset($_COOKIE['username']) && isset($_COOKIE['password'])) {
$username = $_COOKIE['username'];
$password = $_COOKIE['password'];
} elseif (isset($_POST['username'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5(DB_SALT.$password);
}
$sql = "SELECT * from tblMembers WHERE username = :username";
$query = $odb->prepare($sql);
$query->execute(array(":username" => $username));
$results = $query->fetchAll();
if($results !== FALSE && $query->rowCount()>0) {
if($results[0]['passwordHash'] == $password) {
$_SESSION['username'] = $username;
$_SESSION['userID'] = $results[0]['userID'];
if($_POST['remember']) {
$month = time() + (60 * 60 * 24 * 30);
setcookie('remember', $_POST['username'], $month);
setcookie('username', $_POST['username'], $month);
setcookie('password', $results[0]['passwordHash'], $month);
} elseif (!$_POST['remember']) {
$past = time() - 100;
if (isset($_COOKIE['remember'])) {
setcookie('remember', '', $past);
} elseif (isset($_COOKIE['username'])) {
setcookie('username', '', $past);
} elseif (isset($_COOKIE['password'])) {
setcookie('password', '', $past);
}
}
header("Location: "."index.php");
} else {
echo "password incorrect";
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
Username:
<?php
if(isset($_COOKIE['username'])) {
echo "<input type=\"text\" id=\"username\" name=\"username\" maxlength=\"40\" value=".$_COOKIE['username'].">";
} else {
echo "<input type=\"text\" id=\"username\" name=\"username\" maxlength=\"40\" value=\"\">";
}
?>
Password: <input type="password" id="password" name="password" maxlength="50">
Remember Me:
<?php
if(isset($_COOKIE['remember'])) {
echo "<input type=\"checkbox\" id=\"remember\" name=\"remember\" checked=\"checked\">";
} else {
echo "<input type=\"checkbox\" id=\"remember\" name=\"remember\">";
}
?>
<input type="submit" id="submit" name="submit" value="Log In">
</form>
</body>
</html>