Menu
Community /Pin to ProfileBookmark
@NogDogAug 07.2009 — #I am not crazy about what I see in that script, in particular that the password is apparently being saved in a cookie. This is [b]very[/b] insecure: it means the password is stored in a cookie on the user's PC where anyone with access to it can read it, plus it means that it is repeatedly transferred back and forth between the computer and the server with every page request and response.
Not knowing what goes on the auth class (the auth.php file, presumably), I don't know if these cookies are strictly necessary or not -- I would hope that the script uses session-based logins and not purely cookie-based, but there's no way of knowing at this point.
Cookies not deleting after logout
Hi, i have a php script which allows users to register on my site as well as login using their username and password. I’m having a problem with deleting the cookies after the user logs out from the session. For example, Brian logs in using his username and password. Once logged in a screen appears showing “Welcome Brian” on the screen. Brian now logs off and a screen appears saying that the log-off has been successful. Dave then logs in using his own username and password. After logging in a screen appears, however it still says “Welcome Brian” on the screen. Dave refreshes the page and the “Welcome Brian” now changes to “Welcome Dave”. So it’s obvious that the cookies aren’t deleting properly after logging out. I’m just wondering if anyone can help with deleting the cookies after logging out. Here is the code that i am using:
[B]This is the logout.php code
[code=php]<?
/*
# File: logout.php
# Script Name: vSignup 2.5
# Author: Vincent Ryan Ong
# Email: [email protected]
#
# Description:
# vSignup is a member registration script which utilizes vAuthenticate
# for its security handling. This handy script features email verification,
# sending confirmation email message, restricting email domains that are
# allowed for membership, and much more.
#
# This script is a freeware but if you want to give donations,
# please send your checks (coz cash will probably be stolen in the
# post office) to:
#
# Vincent Ryan Ong
# Rm. 440 Wellington Bldg.
# 655 Condesa St. Binondo, Manila
# Philippines, 1006
*/
// Destroy Sessions
setcookie (“USERNAME”, “”, time() – 3600);
setcookie (“PASSWORD”, “”, time() – 3600);
include_once (“authconfig.php”);
?>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.1//EN” “http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
<title>Welcome to…</title>
<link rel=”stylesheet” href=”main.css” type=”text/css” media=”all” />
<link href=”validate.css” rel=”stylesheet” type=”text/css” />
<link href=”roundedcorners.css” rel=”stylesheet” type=”text/css” />
<script type=”text/javascript” src=”mootools.js”></script>
<script type=”text/javascript” src=”textResizeDetector.js”></script>
<script type=”text/javascript” src=”roundedcorners.js”></script>
<script type=”text/javascript” src=”imageMenu.js”></script>
<script type=”text/javascript” src=”validate.js”></script>
<script type=”text/javascript” src=”date-en-GB.js”></script>
</head>
<body>
<div id=”container”>
<div id=”header”>
<img class=”head” src=”best.png” />
<img src = “….png” />
<img class=”bar” src = “hrbar.png” /></div>
<div id=”imageMenu”>
<ul>
<li class=”landscapes”><a href=”index.htm”>Landscapes</a></li>
<li class=”people”><a href=”about.html”>People</a></li>
<li class=”nature”><a href=”makerequest.html”>Nature</a></li>
<li class=”urban”><a href=”viewreq.html”>Urban</a></li>
<li class=”abstract”><a href=”viewhotels.html”>Abstract</a></li>
</ul>
</div>
<script type=”text/javascript”>
window.addEvent(‘domready’, function(){
var myMenu = new ImageMenu($$(‘#imageMenu a’),{openWidth:310, border:2});
});
</script>
<div id=”maindiv”>
<p class=”welcome”>You have successfully logged off.
Click <a href=”<? echo $login; ?>”>here</a> to log back in.</p>
</div>
<img class=”bar2″ src = “hrbar2.png” />
<table id=”footer”>
<tr>
<p class=”footer”>
<td class=”footer”><a class=”footer” href=”contact.html”>Contact us</a></td>
<td class=”footer”><a class=”footer” href=”T&C.html”>Terms & Conditions</a></td>
<td class=”footer”><a class=”footer” href=”Privpol.html”>Privacy Policy</a></td>
<td class=”footer”><a class=”footer” href=”Sitemap.html”>Site Map</a></td>
</p>
</tr>
</table>
</div>
<script type=”text/javascript”>
var gaJsHost = ((“https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);
document.write(unescape(“%3Cscript src='” + gaJsHost + “google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));
</script>
<script type=”text/javascript”>
var pageTracker = _gat._getTracker(“UA-3333085-1”);
pageTracker._initData();
pageTracker._trackPageview();
</script>
</body>
</html>
[B]This is the Vauthenticate code
[code=php]<?
/*
# File: vAuthenticate.php
# Script Name: vAuthenticate 3.0.1
# Author: Vincent Ryan Ong
# Email: [email protected]
#
# Description:
# vAuthenticate is a revolutionary authentication script which uses
# PHP and MySQL for lightning fast processing. vAuthenticate comes
# with an admin interface where webmasters and administrators can
# create new user accounts, new user groups, activate/inactivate
# groups or individual accounts, set user level, etc. This may be
# used to protect files for member-only areas. vAuthenticate
# uses a custom class to handle the bulk of insertion, updates, and
# deletion of data. This class can also be used for other applications
# which needs user authentication.
#
# This script is a freeware but if you want to give donations,
# please send your checks (coz cash will probably be stolen in the
# post office) to:
#
# Vincent Ryan Ong
# Rm. 440 Wellington Bldg.
# 655 Condesa St. Binondo, Manila
# Philippines, 1006
*/
// Start Code
// Use Sessions
// NOTE: This will store the username and password entered by the user to the cookie
// variables USERNAME and PASSWORD respectively even if the combination is correct or
// not. Be sure to authenticate every page that you want to be secured and pass as
// parameters the variables USERNAME and PASSWORD.
setcookie (“USERNAME”, $_POST[‘username’],0,’/’);
setcookie (“PASSWORD”, $_POST[‘password’],0,’/’);
// Change the path to auth.php and authconfig.php if you moved
// vAuthenticate.php from its original directory.
include_once (“auth.php”);
include_once (“authconfig.php”);
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$Auth = new auth();
$detail = $Auth->authenticate($username, $password);
if ($detail==0)
{
?><HEAD>
<SCRIPT language=”JavaScript1.1″>
<!–
location.replace(“<? echo $failure; ?>”);
//–>
</SCRIPT>
</HEAD>
<?
}
elseif ($detail[‘team’] == “Admin”) {
?><HEAD>
<SCRIPT language=”JavaScript1.1″>
<!–
location.replace(“<? echo $admin; ?>”);
//–>
</SCRIPT>
</HEAD>
<?
}
else
{
?><HEAD>
<SCRIPT language=”JavaScript1.1″>
<!–
location.replace(“<? echo $success; ?>”);
//–>
</SCRIPT>
</HEAD>
<?
}
?>
Any help appreciated, thank you
Sign in
to post a comment1 Comments(s) ↴
0
@NogDogAug 07.2009 — #I am not crazy about what I see in that script, in particular that the password is apparently being saved in a cookie. This is [b]very[/b] insecure: it means the password is stored in a cookie on the user's PC where anyone with access to it can read it, plus it means that it is repeatedly transferred back and forth between the computer and the server with every page request and response.Not knowing what goes on the auth class (the auth.php file, presumably), I don't know if these cookies are strictly necessary or not -- I would hope that the script uses session-based logins and not purely cookie-based, but there's no way of knowing at this point.