Your code structure needs some heavy refining, if you insist on using cookies, so be it, but it is recommended (in comments and by others) to use $_SESSION instead of cookies (as their data contents are stored more securely and use cookies to communicate with the end user in the same way).
Reform your code to now do:
if (password match){
//password check
}
elseif (cookie match){
//cookie check
}else {
//unauthorised. (You should redirect).
}
So
if (password_verify($pass, $PassConfirm)){
/***
Password is matched with the hash so now set the cookie
***/
//set cookie - I will say more about this further down...
setcookie("loggedIn", "true", time() + (86400 / 24), "/");
}
elseif ($_COOKIE['loggedIn'] == "true") {
/***
Cookie data found so assumed correct. carry on.
***/
}
else{
echo 'You are not logged in';
/***
Some form of error handling. Typcially a header() statement and page redirection
***/
header("Location: index.php");
exit;
}
// Now your "rest of code" activity can begin here safe in the
// knowledege that only people with passwords or cookies will reach this part.
Please read up about PHP Password Verify and the corresponding Password_hash functions.
Your cookie checks can and will be manipulated, make an improvement by using SESSIONS, which also handle lifetimes and logging in and out much easier as well.
for failed states such as the else statement you should ideally not stay on the same page and redirect the user to another page via an intermediary page which will clear the cookie/session data and "clean" their associated data.
Please read the notes from the manual for setcookies, including:
Cookies will not become visible until the next loading of a page that
the cookie should be visible for. To test if a cookie was successfully
set, check for the cookie on a next loading page before the cookie
expires. Expire time is set via the expire parameter. A nice way to
debug the existence of cookies is by simply calling
print_r($_COOKIE);.
Cookies must be deleted with the same parameters
as they were set with. If the value argument is an empty string, or
FALSE, and all other arguments match a previous call to setcookie,
then the cookie with the specified name will be deleted from the
remote client. This is internally achieved by setting value to
'deleted' and expiration time to one year in past.
Because setting a
cookie with a value of FALSE will try to delete the cookie, you should
not use boolean values. Instead, use 0 for FALSE and 1 for TRUE.
Which should be enough for you to get a clear idea on whatyou've done wrong with your cookies:
If output exists prior to calling this function, setcookie() will fail
and return FALSE. If setcookie() successfully runs, it will return
TRUE. This does not indicate whether the user accepted the cookie.
- So an associated cause is that your string cookie content value is looking like a boolean variable (due to PHP generally loose type casting), so try using a numeric equivilant boolean value
0 or 1 and that should appear correctly.
So:
if(setcookie("loggedIn", 1, time() + 3600, "/", "", false, true)){
print "Biscuit has been set!";
}
And after a page reload (note you should update your code check further up this code sample to look [more] similar to this piece here):
if($_COOKIE['loggedIn'] == true){
//cookie exists!
}
If you are still having problems then I recommend using PHP Error logging and/or print_r($_COOKIE); at the top of your PHP page.
- Use Sessions. They're much easier and safer.
