7

I currently have a cookie set as follows:

setcookie("username",$username,time()+3600*24*5);

How would I go about clearing the value of that cookie so that the user's username isn't filled in anymore?

I have it cleared as follows:

setcookie("username","",time()-60000);

The user's username still comes up though.

The HTML form:

<?php
    session_start();

    $username = NULL;
    $password = NULL;

    if(isset($_SESSION['username'])){
        $username = $_COOKIE['username'];
        $password = $_COOKIE['password'];
    }
?>
<html>
    <title>Login</title>
    <body bgcolor='#000000'>
        <font color="white">
    <H2><div align='center'>Login</div></H2>
    <form align='center' action='login.php' method='POST'>
            Username: <input type='text' name='username' value='<?$_COOKIE['username']?>'><br \>
            Password: <input type='password' name='password' value='<?$password?>'><br \>
            Remember Me <input type='checkbox' name='remember' value='rememberme'><br \>
            <input type='submit' value='Login'>
        </form>
        </font>
    </body>
</html>

The PHP script to handle the form:

<?php
    session_start();

    $username = $_POST['username'];
    $password = $_POST['password'];

    //Hash password in a new variable
    $password2 = md5($password);

    require_once "/home/a7435766/public_html/scripts/dbconnect.php";

    $query = mysql_query("SELECT * FROM userstwo WHERE username = '$username' && password = '$password2'");

    if((mysql_num_rows($query)) != 0) {
        //Store username and password in a cookie
        if($_POST['remember'] == 'rememberme') {
            setcookie("username",$username,time()+3600*24*5,'','.ohjustthatguy.com');
            setcookie("password",$password,time()+3600*24*2,'','.ohjustthatguy.com');
        } else {
            setcookie("username","",time()-10,'','.ohjustthatguy.com');
            setcookie("password","",time()-10,'','.ohjustthatguy.com');
    }
        $_SESSION['username'] = $username;
        header('Location: http://www.ohjustthatguy.com/uploads/uploads.html');
        } else {
        header('Location: http://www.ohjustthatguy.com/uploads/');
    }
?>

Original sources on pastebin

reevesy
  • 3,452
  • 1
  • 26
  • 23
Jason
  • 109
  • 1
  • 2
  • 10
  • What happens if the user changes their username cookie? Can they log in as a different user? – Nick ODell Jun 11 '11 at 23:30
  • Maybe it's a PHP error. Is this a valid statement if(isset($_COOKIE['username']) && isset($_COOKIE['password'])) – Jason Jun 11 '11 at 23:49
  • It's valid, but it's bad practice. – Nick ODell Jun 12 '11 at 00:08
  • What's the proper way to do it? – Jason Jun 12 '11 at 00:51
  • Use $_SESSION. The user can't change data in that array. – Nick ODell Jun 12 '11 at 01:20
  • What if the session is destroyed upon leaving the page? The cookie will still remain, but the session will not. – Jason Jun 12 '11 at 01:40
  • No, $_SESSION persists until the cookie representing it is destroyed or the session times out or you call session_destroy(). Take a look at this tutorial: http://www.tizag.com/phpT/phpsessions.php – Nick ODell Jun 12 '11 at 01:57
  • Check out the two pastebin links I posted above. I would greatly appreciate it if you could look at it and see if you see a problem. – Jason Jun 12 '11 at 02:00
  • 1
    You have a security hole. What happens if you put `' || ''='` into the password field? – Nick ODell Jun 12 '11 at 02:17
  • I don't understand what you mean. – Jason Jun 12 '11 at 02:36
  • See http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain – Nick ODell Jun 12 '11 at 04:09
  • No, I understand that. I don't understand what you are telling me to put in, and where you want me to put it. Can you send me the snippet of the code where that should be inserted? – Jason Jun 12 '11 at 04:16
  • No, that's not code I want to you insert, but imagine if a user typed that into the username field. Read http://www.unixwiz.net/techtips/sql-injection.html to find out how to mitigate this. – Nick ODell Jun 12 '11 at 06:21
  • http://pastebin.com/inwsRCdf would that do the trick? – Jason Jun 12 '11 at 15:06
  • Nope. The username field is unfiltered. Also, there's no need to do XSS filtering on the password field if it's going to be MD5'd. Also, that's not good enough if you want to filter XSS. You also need to protect against a million other tags, like `object` or `media`. Also, when I recommended $_SESSION, I meant that you should store the username in it. I'm guessing that a user could comprimise your code by changing the username cookie. Also, why does it set username and password to expire at different times? Edit, can you mail me at nickodell@gmail.com? I found a major vulnerability. – Nick ODell Jun 13 '11 at 21:59
  • I get a virus check error when I goto this site BTW. `Location: ohjustthatguy.com The requested location contains malicious content, identified as Troj/Skiddie-A and was blocked from downloading.` – Chud37 Mar 11 '13 at 10:01
  • possible duplicate of [Remove a cookie](http://stackoverflow.com/questions/686155/remove-a-cookie) – Zuul Oct 03 '13 at 18:10

3 Answers3

11

Be sure that you delete the cookie with the same domain name and path with which you set it. Cookies for example.com and www.example.com will be treated as two different cookies. Similarly, cookies set from example.com and example.com/Support will have different paths. A good practice is to use .example.com as the domain and '/' as the path for username type cookies so that they can be shared across your subdomains too.

To debug this, you can use the FireCookie plugin of Firefox which'll show all this information.

Mithun Satheesh
  • 27,240
  • 14
  • 77
  • 101
Chandranshu
  • 3,669
  • 3
  • 20
  • 37
  • 1
    My case was it was keeping the wrong path, by 'Default'. I was setting the cookie from a different page while deleting it from some other page in other path. Thanks! – Tom Jun 02 '13 at 12:23
7

Setting its expiration to some time in the past should clear it:

setcookie("username",$username,time()-10);

If you're using PHP sessions to manage users, you'll probably also want to session_destroy()

Christopher Armstrong
  • 7,907
  • 2
  • 26
  • 28
1

You really should not store your users password in a cookie, especially if you are not using HTTPS! The password will be sent in plaintext over the network for every requests! Also, never send back a user his password, this is nerver a good idea.

François Lavigne
  • 64
  • 4