0

I am working with "Remember" feature in Modal form. I tried to set the cookie only when i sends checkbook value, while logging. But whenever i logout from my account, the cookie still exists each time. Also, when i am printing $_COOKIE[] array, i am finding some SESSION_ID. Help me in finding out the mistake.

Modal Form

<form role="form" method="post" id="login_Modal_checks">
  <div class="form-group has-error">
     <label for="username"><span class="glyphicon glyphicon-user">    </span>Username</label>

    <input type="text" class="form-control" name="loginUsername"  id="loginUsername" placeholder="Enter username"
       value="<?php if(isset($_COOKIE['username'])) 
           {echo $_COOKIE['username'];} ?>" >
     </div>

<div class="form-group has-error">
    <label for="psw"><span class="glyphicon glyphicon-pencil"></span>    Password
</label>

<input type="password" class="form-control" name="loginPassword" id="loginPassword" placeholder="Enter password"
value="<?php if(isset($_COOKIE['pass'])) {echo $_COOKIE['pass'];} ?>"       >
 <i style="cursor: pointer" id="seePass" title="Click here to see password" class="glyphicon glyphicon-eye-open">
</i>

   </div>
    <div class="checkbox">
   <label><input type="checkbox" id="remember" <?php if(isset($_COOKIE['username'])) { ?> checked <?php } ?>>
                    Remember me
    </label>
     </div>

<a id="login_Modal"  class="btn btn-success btn-block"><span class="glyphicon glyphicon-off"></span> Login</a>

</form>

Javascript Code

$('#login_Modal').click(function (e){
    e.preventDefault();
    var remember = $('#remember').val();
                $.ajax({
        url: "form_login_process.php",
        type: 'POST',
        data:{'Username':username,'Password':password,'Remember' : remember},
        success: function (data)
        { //alert(data);}
});

form_login_process.php

    $Remember = $_POST['Remember'];
  $sql = "select * from signup where username = '$Username' and password = '$Password'";
  $result = mysqli_query($link, $sql);

  if(mysqli_num_rows($result)>0)

  {
    if(!empty($_POST['Remember']))
    {
        setcookie("username", $Username,time()+ (10 * 365 * 24 * 60 * 60));
        setcookie("pass", $Password,time()+ (10 * 365 * 24 * 60 * 60));

    }
    else
    {
        //if without clicked on checkbox the cookie still exist then destroy it 
        if(isset($_POST['Username']))
        {
            setcookie("username","");
        }

        if(isset($_POST['Password']))
        {
            setcookie("pass","");
        }

        }

      echo 'true';
      $_SESSION['username'] = $Username;
  }
  else
  {
      echo "false";
  }
bc110402307 Syed Zeeshan Haide
  • 454
  • 11
  • 32
  • 1
    Wait, you're setting the username and password to cookies? I'm afraid this is not how you implement a login system. – Jonnix May 24 '16 at 11:51
  • @JonStirling I found this way to set cookie from somewhere else on internet. If you know the right way then guide me. Any idea is warmly welcomed ! – bc110402307 Syed Zeeshan Haide May 24 '16 at 11:53
  • 1
    Two main ones. 1) You do not store plain text passwords in the database (see PHP's [password API](http://php.net/password)) 2) You do not store user credentials on the users browser. – Jonnix May 24 '16 at 11:55
  • @JonStirling Whereas Password value storing is concerned. that is temporary, i will change the format later in md5 or in some other format. This time, you solved my issue that why i am finding this error? If you know how we should set cookie for "Remember" feature then do share with me . – bc110402307 Syed Zeeshan Haide May 24 '16 at 11:59
  • http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication#477579 might be of interest. – Jonnix May 24 '16 at 12:02
  • @JonStirling They are just telling you about the security issues and that is not of my interest this time. – bc110402307 Syed Zeeshan Haide May 24 '16 at 12:07
  • It explains exactly how you should be doing this. Sure, it doesn't give you the code, but that's not our job to provide, it's your job to write. But hey, if security of your users doesn't interest you then I wish you luck. – Jonnix May 24 '16 at 12:20
  • @JonStirling I did not demand code yet, i think so. I said that this time, security is not of my concern, i will tackle that later at the time of live my site. This, time , i m only testing things not refining. Hope you will understand. Anyways, thanks for your suggestion ... – bc110402307 Syed Zeeshan Haide May 24 '16 at 12:25

3 Answers3

0

The following code will completely destroy session. Use in logout function.

session_destroy();
unset($_SESSION);
session_regenerate_id(true);
Deepak Adhikari
  • 419
  • 2
  • 4
0

You don't destroy cookie like this:

setcookie("username","");

If you want to destroy cookie set a time which is already passed like:

setcookie("username", "", time()-3600);
Ghulam Ali
  • 1,935
  • 14
  • 15
0
setcookie("username", "",time()- (10 * 365 * 24 * 60 * 60));
setcookie("pass", "",time()- (10 * 365 * 24 * 60 * 60));

I think this well help you

Thirumani Raj
  • 11
  • 5