4

I have a very simple PHP password protected page. I'd like to add a session cookie so the browser will stay logged (say for 7 days).

Here is my current code:

<?php

$password = "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8";

if (sha1($_POST['password']) == $password) {
?>

Password Protected Content

<?php

}

else {

?>
<html>
    <head>
        <title>Login Page</title>
    </head>
    <body>
        <form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
        Password: <input type="password" name="password" class="formpart" />
        <input type="submit" name="Submit" value="Login" class="login-button" />
        </form>
    </body>
</html>
<?php
}
?>

I have no idea where to start, so I'd really appreciate some help. Thanks in advance!

Improve this question

2 Answers 2

Reset to default
2

Please make yourself a look on this things for PHP:

Also your code will never jump into the password protected content block.

$password = "password";

if (sha1($_POST['password']) == $password) {

Let's say you gave in the right password ("password") - so the if would ask:

if 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 equals password.

You are using hashing, but that is not needed here.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

As for the session timeout, keeping sessions sitting around for a week is usually a pretty bad idea.
I have already looked into session_start() and such but have no idea how to integrate this into my code above. Also, I just used "password" as a quick example here, my real password is hashed with sha1.
Simply put session_start() to the top of the head of the php file and set a $_SESSION-entry called LoggedIn - then add to the if-line isset($_SESSION["loggedIn"]) && $_SESSION['loggedIn']
P.S.: Surely not the best solution! And cHao is right, follow this!
1

Your requirement is a very classical practice. You can read a tutorial here: http://www.phpnerds.com/article/using-cookies-in-php/2

Notes:

  • Compare hash to hash
  • Never save your plain-text password in a cookie
  • More secure: don't save hashed passwords in cookies like the tutorial. Just store a session hashed code and using a DB table session to map it with the user's sessions.

Hope it helps.

Improve this answer

4 Comments

"Never save [the] plain-text password in [a] cookie" -- in that case, never store any password in a cookie. Hashed or not. Hashing doesn't help there; even if you store a hashed password, that becomes just as good as the real password authenticationwise. That's the whole point of putting the password in a cookie in the first place.
Thanks for your correcting. That note was added for the sake of phpnerds' tutorial. I also suggested a more secure solution.
Thanks for that tutorial, exactly what I needed. As for this being a not so secure solution - I know. But it should work fine for my use.
if by your use you mean: "Only I, and no one else but myself will have access to this application" then I guess you're right, but I would err on the safe side, and chose not to store a password in a cookie. It's bad practice. Remember that old habits die hard.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.