PHP password protected page cookie

Question

I have a very simple PHP password protected page. I'd like to add a session cookie so the browser will stay logged (say for 7 days).

Here is my current code:

<?php

$password = "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8";

if (sha1($_POST['password']) == $password) {
?>

Password Protected Content

<?php

}

else {

?>
<html>
    <head>
        <title>Login Page</title>
    </head>
    <body>
        <form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
        Password: <input type="password" name="password" class="formpart" />
        <input type="submit" name="Submit" value="Login" class="login-button" />
        </form>
    </body>
</html>
<?php
}
?>

I have no idea where to start, so I'd really appreciate some help. Thanks in advance!

score 2 · Answer 1 · edited May 23 '17 at 12:07

2

Please make yourself a look on this things for PHP:

session_start()
- Next take a look here: How to change the session timeout in PHP?
$_SESSION[]-Array

Also your code will never jump into the password protected content block.

$password = "password";

if (sha1($_POST['password']) == $password) {

Let's say you gave in the right password ("password") - so the if would ask:

if 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 equals password.

You are using hashing, but that is not needed here.

edited May 23 '17 at 12:07

Community

1
1

answered Jul 14 '13 at 03:41

Dennis Ziolkowski

737
6
14

As for the session timeout, keeping sessions sitting around for a week is usually a pretty bad idea. – cHao Jul 14 '13 at 03:44
I have already looked into session_start() and such but have no idea how to integrate this into my code above. Also, I just used "password" as a quick example here, my real password is hashed with sha1. – Harold Dunn Jul 14 '13 at 03:45
Simply put session_start() to the top of the head of the php file and set a $_SESSION-entry called LoggedIn - then add to the if-line `isset($_SESSION["loggedIn"]) && $_SESSION['loggedIn']` – Dennis Ziolkowski Jul 14 '13 at 03:49
**P.S.:** Surely not the best solution! And cHao is right, follow this! – Dennis Ziolkowski Jul 14 '13 at 03:50

Tu Hoang · Accepted Answer · 2013-07-14T03:58:06.983

1

Your requirement is a very classical practice. You can read a tutorial here: http://www.phpnerds.com/article/using-cookies-in-php/2

Notes:

Compare hash to hash
Never save your plain-text password in a cookie
More secure: don't save hashed passwords in cookies like the tutorial. Just store a session hashed code and using a DB table session to map it with the user's sessions.

Hope it helps.

edited Jul 14 '13 at 03:58

answered Jul 14 '13 at 03:47

Tu Hoang

94
2

"Never save [the] plain-text password in [a] cookie" -- in that case, never store *any* password in a cookie. Hashed or not. Hashing doesn't help there; even if you store a hashed password, that becomes just as good as the real password authenticationwise. That's the whole point of putting the password in a cookie in the first place. – cHao Jul 14 '13 at 03:50
Thanks for your correcting. That note was added for the sake of phpnerds' tutorial. I also suggested a more secure solution. – Tu Hoang Jul 14 '13 at 03:57
Thanks for that tutorial, exactly what I needed. As for this being a not so secure solution - I know. But it should work fine for my use. – Harold Dunn Jul 14 '13 at 04:06
if by your use you mean: "Only I, and no one else but myself will have access to this application" then I guess you're right, but I would err on the safe side, and chose not to store a password in a cookie. It's bad practice. Remember that old habits die hard. – ILikeTacos Jul 14 '13 at 04:34

PHP password protected page cookie

2 Answers2