#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    Hollywood FLorida
    Posts
    130
    Rep Power
    32

    Clearing all cookies php script - HowTo?


    Hey everybody, I'm working on a project that uses cookies, When the user clicks log-out , a script is executed that sets the values of the cookies to "no" , this is my way of clearing them..

    my problem is as follows...

    when a user clicks log-out , the cookies are supposed to be changed to the "no" values... but instead of that actually happening... I can actually type in a url that checks those cookies for the actual values for validation BUT the page loads like normal instead of erroring out and redirecting me back to the login page like its supposed to..

    now, if i close the browser, the cookies get cleared automatically and if i type in the url to the secure page it will redirect me back to the login like its supposed to...

    so my problem and question is:


    how can I clear all of the cookies set by the login script using a php script that does not require me to close the browser or set a timer on the cookies?
    FordFasteRR !!!!
  2. #2
  3. mod_dev_shed
    Devshed Supreme Being (6500+ posts)

    Join Date
    Sep 2002
    Location
    Atlanta, GA
    Posts
    14,800
    Rep Power
    1104
    Let's see how you validate those cookies.

    You should be able to remove a cookie by setting it's value to nothing (ie, ''). You can also set the expiration to a time prior to the current time.
    # Jeremy

    Explain your problem instead of asking how to do what you decided was the solution.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    Hollywood FLorida
    Posts
    130
    Rep Power
    32
    should i set the expiration time for the existing cookies when the user clicks > LOGOUT < ?


    what is the best way to set the time on the cookie?

    right now, I have no time parameter at all when the cookie is created.. can you give me a simple example ?
    FordFasteRR !!!!
  6. #4
  7. mod_dev_shed
    Devshed Supreme Being (6500+ posts)

    Join Date
    Sep 2002
    Location
    Atlanta, GA
    Posts
    14,800
    Rep Power
    1104
    Let's see how you validate those cookies.
    Since you're using session cookies (don't mistake that for PHP Sessions; session cookies expire on browser close), it would be better to give them an empty value. The empty value shouldn't validate, and thus the user should be redirected to the login page.
    # Jeremy

    Explain your problem instead of asking how to do what you decided was the solution.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    Hollywood FLorida
    Posts
    130
    Rep Power
    32
    my problem is not with the cookie validation scripts, those work fine, the problem is that my cookie clearing script does not actually change the cookie values when the user clicks logout..

    here is a flowchart of my programming..

    1. login screen > validate user > set cookies > index.php page is displayed.

    2. user clicks logout > clearcookies.php script loads and changes the values of all the original cookies to "no" > user is redirected ot the login page.

    PROBLEM ...

    3. if I type one of the secure pages that has a cookie validation script , the page loads and the original cookie values are still showing!!!

    now then... what can I do ?


    here is a shot of my cookie validation script...


    <?
    if(isset($_COOKIE['loggedin'])) {
    if ($_COOKIE['loggedin'] == "ok") {
    } else {
    header("location: http://www.mydomain.com/database/index.html");
    exit;
    }
    } else {

    header("location: http://www.mydomain.com/database/index.html");
    exit;
    }
    ?>



    ______________________________

    here is a shot of the script that clears the cookies:

    <?
    $cookie_name ="loggedin";
    $cookie_value ="no";

    $cookie_name1 ="usersname";
    $cookie_value1 ="none";

    $cookie_name2 ="modaccess";
    $cookie_value2 ="no";

    $cookie_name3 ="admin";
    $cookie_value3 ="no";

    $cookie_name5 ="user_name";
    $cookie_value5 ="none";

    $cookie_name6 ="user_password";
    $cookie_value6 ="none";



    setcookie($cookie_name, $cookie_value);
    setcookie($cookie_name1, $cookie_value1);
    setcookie($cookie_name2, $cookie_value2);
    setcookie($cookie_name3, $cookie_value3);
    setcookie($cookie_name5, $cookie_value5);
    setcookie($cookie_name6, $cookie_value6);

    header("location:http://www.mydomain.com/database/show_login.php");

    ?>

    ___________________________________________

    here is a shot of the script that validates the user and sets the cookies:


    <?

    if ((!$_POST['username']) || (!$_POST['password'])) {
    header("location:http://www.mydomain.com/database");
    exit;
    }


    $db_name ="mytablename";
    $table_name ="auth_users";


    $connection = @mysql_connect("www.mysql-server.com","mydbusername","mypassword") or die(mysql_error());

    $db = @mysql_select_db($db_name,$connection)or die(mysql_error());

    $sql ="SELECT f_name, username, password, mod_access, admin
    FROM $table_name
    WHERE username LIKE '$_POST[username]'
    AND password LIKE '$_POST[password]'";

    $result = @mysql_query($sql,$connection) or die(mysql_error());

    $row = mysql_fetch_array($result);

    $num1 = mysql_num_rows($result);

    if ($num1 != 0) {

    $cookie_name ="loggedin";
    $cookie_value ="ok";

    $cookie_name1 ="usersname";
    $cookie_value1 ="$row[f_name]";

    $cookie_name2 ="modaccess";
    $cookie_value2 =$row['mod_access'];

    $cookie_name3 ="admin";
    $cookie_value3 ="$row[admin]";

    setcookie($cookie_name, $cookie_value);
    setcookie($cookie_name1, $cookie_value1);
    setcookie($cookie_name2, $cookie_value2);
    setcookie($cookie_name3, $cookie_value3);

    header("location:http://www.mydomain.com/database/index.php");
    exit;

    } else {

    header("location:http://www.mydomain.com/database/clearcookies.php");
    exit;


    }
    ?>
    FordFasteRR !!!!
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    Hollywood FLorida
    Posts
    130
    Rep Power
    32
    OK, I did some reading of similar posts and found that other people are also having similar problems as I am...

    and so, I modified the cookie clearing script to read as follows:

    <?
    $cookie_name ="loggedin";
    $cookie_value ="";

    $cookie_name1 ="usersname";
    $cookie_value1 ="";

    $cookie_name2 ="modaccess";
    $cookie_value2 ="";

    $cookie_name3 ="admin";
    $cookie_value3 ="";

    $cookie_name5 ="user_name";
    $cookie_value5 ="";

    $cookie_name6 ="user_password";
    $cookie_value6 ="";



    setcookie($cookie_name, time()-3600);
    setcookie($cookie_name1, time()-3600);
    setcookie($cookie_name2, time()-3600);
    setcookie($cookie_name3, time()-3600);
    setcookie($cookie_name5, time()-3600);
    setcookie($cookie_name6, time()-3600);


    header("location:http://www.nitrousworld.com/database/show_login.php");

    ?>

    _________________________

    And after clicking LOGOUT > clearcookies.php > it still fails to prevent me from typing in the url directly and viewing the secure page after the cookie that is validated is SUPPOSED to be expired !!!
    FordFasteRR !!!!
  12. #7
  13. mod_dev_shed
    Devshed Supreme Being (6500+ posts)

    Join Date
    Sep 2002
    Location
    Atlanta, GA
    Posts
    14,800
    Rep Power
    1104
    I wanted to see your validation script b/c I've seen people not test the value of the cookie, on if it exists, and then set cookie values accordingly. What happens is they end up clearning the cookie in their logout script, but resetting it on the page as they validate.

    I've seen and even run into this problem before. I don't use cookies too often outside the one set by using PHP Sessions, but I'm pretty sure I was able to solve it by setting the value blank.

    I'm going to recommend against all of these cookies with their different values. Instead, store something unique for each user, preferably md5()ed, and retrieve this information as you validate. As it stands, I could edit the 'admin' cookie, give it a value of 1 or maybe 'yes', and I'd be an admin.
    PHP Code:
    /*-- login.php --*/
    if((bool)$_POST)
      {
      
    $sql 'SELECT COUNT(*)
    FROM table
    WHERE username = "'
    .$_POST['username'].'"
      AND password = "'
    .md5($_POST['password']).'"';
      
    $result mysql_query($sql);
      if((bool)
    mysql_result($result,0))
        {
        
    setcookie('LOGIN',md5($_POST['username']));
        
    // redirect
        
    }
      } 
    PHP Code:
    /*-- logout.php --*/
    setcookie('LOGIN','');
    // redirect 
    PHP Code:
    /*-- validate.php --*/
    $sql 'SELECT [all that admin, mod_access stuff]
    FROM table
    WHERE MD5(username) = "'
    .$_COOKIE['LOGIN'].'"
    LIMIT 1'
    ;
    $result mysql_query($sql);
    if((bool)
    mysql_num_rows($result))
      {
      
    $user_info mysql_fetch_assoc($result);
      }
    print_r($user_info); 
    # Jeremy

    Explain your problem instead of asking how to do what you decided was the solution.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    233
    Rep Power
    16
    i do that at it works fine
    <?PHP
    foreach($_COOKIE as $id=>$value){
    setcookie($id,$value,time()-360000);
    }
    ?>
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    Hollywood FLorida
    Posts
    130
    Rep Power
    32
    I have changed it to this:


    <?
    $cookie_name ="loggedin";
    $cookie_value ="";

    $cookie_name1 ="usersname";
    $cookie_value1 ="";

    $cookie_name2 ="modaccess";
    $cookie_value2 ="";

    $cookie_name3 ="admin";
    $cookie_value3 ="";

    $cookie_name5 ="user_name";
    $cookie_value5 ="";

    $cookie_name6 ="user_password";
    $cookie_value6 ="";



    setcookie($cookie_name, $cookie_value, time()-360000);
    setcookie($cookie_name1, $cookie_value1, time()-360000);
    setcookie($cookie_name2, $cookie_value2, time()-360000);
    setcookie($cookie_name3, $cookie_value3, time()-360000);
    setcookie($cookie_name5, $cookie_value5, time()-360000);
    setcookie($cookie_name6, $cookie_value6, time()-360000);

    header("location:http://www.nitrousworld.com/database/show_login.php");

    ?>


    ______
    and it still fails to actually clear them after this script runs.

    after i click "logout" this script runs and as you can see at the end it redirects me to the login page... at the login page, i can just type the index.php page into the address bar and it takes me to the secured page and event validates me !!!

    This really stinks... because user x can logout, and user y can just go right in after him with user x's credentials !
    FordFasteRR !!!!

IMN logo majestic logo threadwatch logo seochat tools logo