Tweet
Okay, so i'm fairly new to coding PHP websites from scratch (have used template codes, and tweaked them around a little for awhile now)
So today me and my friend started out own website, and so far i have these webpages:
login.php (just the form to submit data to checklogin.php)
checklogin.php (contains the check between mysql and entered data and logs in if its right.
Register.php (Again, contains the form to submit data to checkregister.php)
checkregister.php (contains a check to see whether the username or e-mail already exists, checks to see if both passwords entered in register.php match, and after this submits it to the mysql database.)
logout.php (just contains Session_Destroy(); )
and page1.php (just a page saying password correct, you get re-directed here from checklogin.php ofc if your password is correct.)
Okay, so i've added into checklogin.php:
This shoudl set a cookie called userlogin, with the data from the variable $username (which is set by $_POST['username'])
So basically i want page 1 to actually say:
Welcome (their username here), (their E-mail address here)
so i thought the only way to do that is through setting a cookie right?
and to get their e-mail address i was going to do it, by matching their username in their database and then reading this from the database (i can do this myself, it's fairly straight forward)
But then it leaves a vulnerability then, if a person was to fake a cookie of a different user, they would then be able to get their e-mail address too, because the PHP code is set to match a e-mail address with the name stored in the cookie, and then display it.
I hope this all makes sense to you so far...
So my question is, how would i stop this from being able to be done... (getting an account's e-mail address from spoofing a cookie)
I'll happily answer any questions you have got about the information of my pages etc.
Thanks
.
So today me and my friend started out own website, and so far i have these webpages:
login.php (just the form to submit data to checklogin.php)
checklogin.php (contains the check between mysql and entered data and logs in if its right.
Register.php (Again, contains the form to submit data to checkregister.php)
checkregister.php (contains a check to see whether the username or e-mail already exists, checks to see if both passwords entered in register.php match, and after this submits it to the mysql database.)
logout.php (just contains Session_Destroy(); )
and page1.php (just a page saying password correct, you get re-directed here from checklogin.php ofc if your password is correct.)
Okay, so i've added into checklogin.php:
PHP Code:
$expiry = time() + 172800;
setcookie( "userlogin", '$username', $expiry );
So basically i want page 1 to actually say:
Welcome (their username here), (their E-mail address here)
so i thought the only way to do that is through setting a cookie right?
and to get their e-mail address i was going to do it, by matching their username in their database and then reading this from the database (i can do this myself, it's fairly straight forward)
But then it leaves a vulnerability then, if a person was to fake a cookie of a different user, they would then be able to get their e-mail address too, because the PHP code is set to match a e-mail address with the name stored in the cookie, and then display it.
I hope this all makes sense to you so far...
So my question is, how would i stop this from being able to be done... (getting an account's e-mail address from spoofing a cookie)
I'll happily answer any questions you have got about the information of my pages etc.
Thanks
.
no need for special knowledge.
). Instead of saving them open make their MD5 values and save that string.
Comment