Form resubmits every time page is reloaded

Question

Once the user signs in (in login.php) they are redirected to control.php. If they close the browser and reopen control.php they are asked to resubmit the form. How can I use the cookie I set up, instead of resubmitting the form?

login.php

<?php session_start(); /* Starts the session */
$logins = array('username' => 'pass12');
if(isset($_COOKIE['userME']) && isset($_COOKIE['passME'])){ //if cookie is set do this
$Username=$_COOKIE['userME'];
$Password=$_COOKIE['passME'];
echo $Username.'-'.$Password;
    if (isset($logins[$Username]) && $logins[$Username] == $Password){
        /* Success: Set session variables and redirect to Protected page  */
        $_SESSION['UserData']['Username']=$logins[$Username];
        header("location:control.php");
        exit;
    } else {
        /*Unsuccessful attempt: Set error message */
        $msg="<span style='color:red'>1Invalid Login Details</span>";
    }

}
else{   //else new person
    /* Check Login form submitted */    
    if(isset($_POST['Submit'])){
        /* Check and assign submitted Username and Password to new variable */
        $Username = isset($_POST['Username']) ? $_POST['Username'] : '';
        $Password = isset($_POST['Password']) ? $_POST['Password'] : '';

        /* Check Username and Password existence in defined array */        
        if (isset($logins[$Username]) && $logins[$Username] == $Password){
            /* Success: Set session variables and redirect to Protected page  */
            $_SESSION['UserData']['Username']=$logins[$Username];
            setcookie('userME',$Username,time()+60*60*24*10,'/','71.12.145.29');
            setcookie('passME',$Password,time()+60*60*24*10,'/','71.12.145.29');
            header("location:control.php");
            exit;
        } else {
            /*Unsuccessful attempt: Set error message */
            $msg="<span style='color:red'>2Invalid Login Details:<?php echo $Username.'-'.$Password?></span>";
        }
    }
}
?>

<form action="" method="post" name="Login_Form">
  <table width="400" border="0" align="center" cellpadding="5" cellspacing="1" class="Table">
    <?php if(isset($msg)){?>
    <tr>
      <td colspan="2" align="center" valign="top"><?php echo $msg;?></td>
    </tr>
    <?php } ?>
    <tr>
      <td colspan="2" align="left" valign="top"><h3>Login</h3></td>
    </tr>
    <tr>
      <td align="right" valign="top">Username</td>
      <td><input name="Username" type="text" class="Input"></td>
    </tr>
    <tr>
      <td align="right">Password</td>
      <td><input name="Password" type="password" class="Input"></td>
    </tr>
    <tr>
      <td> </td>
      <td><input name="Submit" type="submit" value="Login" class="Button3"></td>
    </tr>
  </table>
</form>

control.php

<?php
session_start();
echo "Hello, ".$_COOKIE['userME'].'<br>';
if(isset($_SESSION['UserData']['Username']))
{
    if (isset($_POST['submit'])) {
        switch ($_POST['submit']) {
            case 'room_light':
                    //execute code here
                break;
            case 'blink':
                    echo shell_exec("sudo ruby /home/pi/Desktop/PiControl/blinkPin1.rb");
                break;
        }
    }
    ?>

    <form method="post">
    <input type="submit" name="submit" value="room_light">
    </form>
    <?php
}
else
{
    header("location:login.php");
}
?>

In control.php why not use `if(isset($_COOKIE['userME']) && isset($_COOKIE['passME'])){ // do something }` as you already have it in the other file; have you tried that? That should work. — Funk Forty Niner, Apr 16 '15 at 16:06
Plus, storing passwords in cookies isn't a very good idea. http://stackoverflow.com/q/2100356/ --- http://stackoverflow.com/q/3928630/ --- http://security.stackexchange.com/questions/9455/is-it-safe-to-store-the-password-hash-in-a-cookie-and-use-it-for-remember-me-l — Funk Forty Niner, Apr 16 '15 at 16:11
Wile E. holding up *YIPES!* sign Sam @JayBlanchard Get ready for the *big fall*. — Funk Forty Niner, Apr 16 '15 at 16:15
I take back my first comment; you shouldn't be storing passwords in cookies, but to set a different cookie. However, this is a sensitive area to be wandering in. — Funk Forty Niner, Apr 16 '15 at 16:18

score 2 · Accepted Answer · edited May 23 '17 at 11:46

The usual way to deal with this is to actually create three web pages :

A form web page, that displays the form and on submission sends to page 2 ;
A checking web page, that checks the password, sets the cookie(s) and immediately redirects to page 3 ;
A result web page, that uses the cookie set by page 2.

Thus, when reloading page 3, it will immediately reuse the cookie set by page 2.

Besides, you should avoid storing the password in a cookie. You could at least store in the cookie hash('sha256', $password) ; and check against the (precomputed) hashes of passwords.

This way, the password never resides on disk and only in memory, which is better for security reasons. You can check out more information on this subject using the following links, courtesy of Fred -ii- : Is it secure to store passwords in cookies? ; php, is there a safe way to store password in cookies? ; Is it safe to store the password hash in a cookie and use it for “remember-me” login?

There would be even better hashing schemes, such as salting with a random values, but that would perhaps complicate too much for the application you're writing.

Feel free and don't be shy to add the links I left under OP's question [in this comment](http://stackoverflow.com/questions/29680025/form-resubmits-every-time-page-is-reloaded#comment47497851_29680025), as future reference, should my comment disappear. — Funk Forty Niner, Apr 16 '15 at 16:23

Form resubmits every time page is reloaded

1 Answers1