Log-in page php redirect and cookie deletion

Question

I've fixed my login page to create a user entry with an insert statement and the logout button on the next page delete the user but the issue is when I click log-in the user becomes registers but my page does not redirect to the next page automatically, I have to refresh the page then it leads to the next page because a user is seen as logged in. This is my code:

<head>

<?php
if(isset($_POST["Logout"])){
    $saveuser = $_COOKIE["user"];
    $savepass = $_COOKIE["password"];
    $hostname='localhost';
    $username='root';
    $password='';

    try {
        $dbh = new PDO("mysql:host=$hostname;dbname=cs266db_db1",$username,$password);
        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // <== add this line
        $sql3 = "DELETE FROM userid
   WHERE user='".$saveuser."' AND password='".$savepass."'";
        if ($dbh->query($sql3)) {
            echo "<script type= 'text/javascript'>alert('Logged out');</script>";
        }
        else{
            echo "<script type= 'text/javascript'>alert('Data not successfull.');</script>";
        }

        $dbh = null;
    }
    catch(PDOException $e) {
        echo $e->getMessage();
    }

    unset($_COOKIE["user"]);
        unset($_COOKIE["password"]);    
}
?>

<?php
if(isset($_POST["submit"])){
    $cookie_user = $_POST["user"];
    $cookie_pass = $_POST["password"];
    setcookie("user", $cookie_user, time() + (86400), "/");
    setcookie("password", $cookie_pass, time() + (86400), "/");

    $hostname='localhost';
    $username='root';
    $password='';
    try {
        $dbh = new PDO("mysql:host=$hostname;dbname=cs266db_db1",$username,$password);

        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // <== add this line
        $sql2 = "INSERT INTO userid
   VALUES ('".$cookie_user."','".$cookie_pass."')";
        if ($dbh->query($sql2)) {
            echo "<script type= 'text/javascript'>alert('Register Complete');</script>";
        }
        else{
            echo "<script type= 'text/javascript'>alert('Data not successfull.'); </script>";
        }
        $dbh = null;
    } 
    catch(PDOException $e) {
        echo $e->getMessage();
    }
}
?>

<?php
if(!isset($_COOKIE["user"])) {
    echo"<form action="."''"."method="."post".">";
    echo"<input type='"."text'"." name='"."user'"." placeholder='"."Enter Username'"." required/><br><br>";
    echo"<input type='"."password'"." name='"."password'"."  placeholder='"."Enter Password'"." required/><br><br>";
    echo"<input type='"."submit'"." name='"."submit'"." value='"."  Register'"."/>";
    echo"</form>";      
}
else {
    header("Location: index_1.php"); /* Redirect browser */
    exit();
}
?>

</head>

Also when I log out the user is deleted correctly but then when I load the page from netbeans it takes me to index_1 because it seems the cookie was not deleted? Any help would be great! Again my question is how to redirect it correctly to index_1 and how to properly delete the cookie when I log out.

if you want to remove cookie use `setcookie` http://php.net/manual/en/function.setcookie.php, `$_COOKIES` assignments and unsets won't work at all — Kamil Karkus, Apr 19 '16 at 22:38
When I use **setcookie** the logout button does not work though — Dillon Burke, Apr 19 '16 at 22:49
Why are you saving the password to a cookie? That is not a good idea from a security standpoint. Especially if it's not even encrypted. You should not need the password at any point after login. — Rasclatt, Apr 19 '16 at 23:06
Also you should not be injecting variables right into the sql statement like that. Since you are using PDO, you should be using bind. — Rasclatt, Apr 19 '16 at 23:07
Also, there is no real need to create two connections separately as you have it. You just need one connection that you can use in both cases. If you create a function (or class if you are savvy that way), you can wrap your connection and keep it on a separate included page at the top. — Rasclatt, Apr 19 '16 at 23:09
Lastly, if you are not really concerned about being stateless, you might have better luck using `$_SESSION` instead of cookies. Cookies can be refused by the client browser. — Rasclatt, Apr 19 '16 at 23:10
My professor wants us to use cookies for the project, also do you understand why my log-in button doesnt redirect? — Dillon Burke, Apr 19 '16 at 23:15
Probably/maybe because you can not put `header()` after you have output to the browser. That could be one reason for sure. Very rarely a redirect will still work after output, but more often than not, it will not redirect. — Rasclatt, Apr 19 '16 at 23:18
At the very top of the page, you should add error reporting, that would help you troubleshoot. `` — Rasclatt, Apr 19 '16 at 23:19
Your script should be: DB Connection, `if/else` logic, (header if required with `exit;`), output to browser. Further, you don't need to do all that crazy `echo` on the form stuff. Do `HEREDOC` or close/open php tags/html: `?>
html — Rasclatt, Apr 19 '16 at 23:22
Ok, I got past the login page, thank you very much @Rasclatt — Dillon Burke, Apr 19 '16 at 23:33
**WARNING**: When using PDO you should be using prepared statements and supply any user data as separate arguments. Using string concatenation or interpolation can cause severe [SQL injection bugs](http://bobby-tables.com/). [Using PDO properly is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and a guide like [PHP The Right Way](http://www.phptherightway.com/) can help with this and other problems. You have **severe** injection bugs in this code that need to be fixed. — tadman, Apr 19 '16 at 23:40
**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.2/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and never store passwords as plain-text. — tadman, Apr 19 '16 at 23:41

score 0 · Answer 1 · edited May 23 '17 at 11:52

0

In all occurrences of closing and opening PHP tag, remove the blank line. Also, remove the <head> tag, and all the blank lines and spaces on the top of your code (thanks, @Rasclatt)

Long story short, you should have a continuous PHP code. The cause of problem is described here. You do not see the problem because you turned off error reporting.

Instead of:

.
.
.
?>

<?php
.
.
.

should be:

.
.
.


.
.
.

Alternative solution: use JavaScript redirect instead of HTTP redirect.

edited May 23 '17 at 11:52

Community

1
1

answered Apr 19 '16 at 23:26

Sych

1,849
16
19

1

Don't forget the `` tag at the top. – Rasclatt Apr 19 '16 at 23:28

Log-in page php redirect and cookie deletion

1 Answers1