Quick cookies question

[Supermercado]

I've never done much with cookies before now but I'm trying to use them in a redesign of one of my sites and I'm having a bit of trouble getting it to work correctly.

I have a login page that sets cookies called "username" and "password" and I'm using the "/" domain, basing that off the PHP manual for setcookie() saying that the cookie will be available across the entire domain. I originally wasn't setting the domain and the cookie was showing up as only available in the /new/ directory (which is the directory on my domain that I'm developing the site in), so I changed it to "/". At any rate, I set the cookie in a PHP file directly under the /new/ directory. The problem lies when I try to access that cookie from /new/anotherdirectory. Even though I set the domain to /, it's not getting the data from the cookie.

It's entirely possible that I'm making some stupid newbie error. I hope that's what it is, anyway. Any ideas why the cookie works just fine when the PHP file is directly under /new/, but not when it's under a subdirectory of /new/ ? Thanks for any help on this.

 

[Supermercado]

Bump?

 

[stndn]

First, check to make sure the cookie is actually set up and has the data you wanted.
(Assuming windows)

On msie, you can go from C:\Documents and Settings\-your_windows_login_name-\Cookies and look at which text file your cookie belongs to, and see if your data is there.

On firefox/mozilla, open up cookie manager (on moz is tools > cookie manager > manage stored cookies, not sure about fox), scroll down and find your cookie and see if the value is there.

It will also help for you to just dump the cookie variable and see what's stored there.

print_r ($_COOKIE);

And one more thing, in case you missed it, you can only see the cookie you set on the next time you load the page. So if you press 'login' and set the cookie, you won't be able to read it until next time you call some other script.

 

[Supermercado]

The cookie is there and works. On the front page, anyway. In the directory where I set the cookie. The site is a page for a friend and I and I have written an admin console for us to add/edit/delete from the page; there's an admin login that sets a username and a password cookie. There's also a "members" area for other people to login and view protected parts of the site. That just sets a cookie containing the password. The problem is when I'm in that members area (or any page that's in a subdirectory of the directory where I set the cookie), I can't get access to the admin cookie. And when users login to the protected page, logging in works, but it's working only from the session variable and not the cookie that's set. I've tried referencing the cookie by using $_COOKIE['/subdirectory/cookiename'] but that's not working even though when I look at the cookie manager, it's there and the path is set to the name of the subdirectory.

I guess I'll try using print_r and see if I can figure anything out. I need to get this stuff straightened out.

 

[Supermercado]

Just did print_r($_COOKIE) and in the subdirectories, the cookie array is empty. If the cookie is set in the / directory, do I need to do something different to get access to the cookie when I'm in a subdirectory? That looks like what the problem may be.

 

[stndn]

Are they in different subdomain, or just different directory?
If it's different subdomain, you'll need to set up the subdomain where the cookie is going to be valid as well.

However, you cannot set cross-domain or cross-subdomain cookies for security reason (and a good reason for that).

setcookie ('username', 'stndn', time() + 86400, '/', '.mysite.com'); # To set cross-subdomain cookies

To access:
$_COOKIE['username']; # Shouldn't matter where it's accessed from, since I set it up to work from anywhere.

Btw, $_COOKIE['/subdirectory/cookiename'] is not valid ,)

 

[Supermercado]

Just different directory. In doing some research trying to find the solution to the problem, I saw that cookies across domains or subdomains weren't going to work, which makes sense, but I also saw where cookies in a subdirectory should work. I'm setting the cookies with path "/", which ought to work, as far as I can tell. Do I need to put the domain as the subdomain on my server? (the fact that it's subdomain.domain.com shouldn't matter, right, as long as all of the scripts that are using the cookies are in that subdomain?)

 

[Supermercado]

Any other ideas?

I tried using print_r($_COOKIE) and print_r($_SESSION) because I'm having an issue with that as well. The cookie and session information shows up in the root of my subdomain but I can't access any of that as far as print_r is concerned. I have a login script on one of the subdirectory pages and once I log in to that page, the session variable is good because I can move around freely in those protected pages and I can leave the site and come back and it still works. So long as I don't close the browser; then I have to login again and I'm trying to prevent having to login every time using the cookie. I see no reason why it shouldn't work, but for some reason, it doesn't. Is it possible that there's a PHP setting somewhere that I need to have changed?

 

[stndn]

Hmmm...
if it's fine with you, can you post the PHP command that sets your cookie and how they are being called?
Probably we could work something out from there.

 

[Supermercado]

I have 3 cookies that I'm using at the moment, although if it's working, I think I should just need 2. I have one called ideas-username which is the admin cookie that my friend and I get when we login to the admin portion of the site. The other is ideas-password, which I ultimately want both the two admins and all users to get when they login. I want to set that cookie for the admin users when we login to the admin portion of the site and for the regular users when they login to one of the normal protected pages. I want to use the username cookie to put a link to the admin page on each page for my friend and I. That's the cookie that I'm having trouble seeing in the subdirectories.

That's probably a hard-to-read mess, but I'll be more than happy to try to clarify it if it's not understandable or the code isn't what you were wanting to see.

I really appreciate your help on this.

 

[stndn]

Hmmm...
I tried running your script in my test PHP and the cookie is set correctly.
And you said you have the cookie set, right?

Do you have a command somewhere that unset the cookie? Something like

setcookie("ideas-username","");
setcookie("ideas-password","");

Or could it be that your browser is blocking cookie?
Although i think it's very low chance, due to the fact that cookie can be accessed if you're in subdirectory....

Anyways, try out this code and run the page twice, see if you have the cookie set:

<?php
setcookie("ideas-username","user",time()+99999999,"/");
setcookie("ideas-password","pass",time()+99999999,"/");
setcookie("ideas-password","something",time()+99999999,"/subdirectory");

print_r ($_COOKIE);
?>

It's basically the same code as what you have, but I took out the if() statements and what not.
On my computer (when run from document_root), it shows two cookies on second run: ideas-username=>user and ideas-password=>pass

If you can see the two cookies when you rerun the script, then something is not right in your script.

 

[torpid]

I don't understand why you are setting any of those cookies if you can just validate them once and store that they are validated server-side in a session area. Storing their username and password in a cookie is not really all that secure. In addition to it being in a text file on the client's computer, it is sent by the client in clear text with every request made to the server.

 

[Supermercado]

I'll try that when I get home, stndn. I'm at work right now so I don't really have a chance to give it a shot.

I'm setting the cookies because I don't want them to have to login everytime they visit the site. Once the user logs in, I want them to be logged in for good and be able to move freely about the site until the cookie is unset, either by logging out, the user clearing the cookie, or any other way that it could be done. If there's a way to do that without cookies, then I'm all for it because like you said passing it in clear text isn't necessarily the best idea. Although security isn't really a huge issue with this site; it's just a small site for my friends and I but I want the password protection (with something less clumsy than htaccess which I was using previously) to keep out random users.

 

[Supermercado]

I tried running print_r($_COOKIE) from within one of my actual scripts instead of running it from my header.inc.php and footer.inc.php which is where I had been calling it from previously. When I did that, the cookies were showing up. I changed the way those are refereced, but I'm not sure that's what caused it to work. I changed another thing (one of my if statements) to check to see if the cookie was not set and if it wasn't, to send the user to the login page, otherwise, display the page. I was trying to do it with sessions before and something was preventing that from working. I think it's working right now, though. I guess we'll see how it goes once I give it a more thorough test.

I want to thank you again for your help, though.