downloads | documentation | faq | getting help | mailing lists | reporting bugs | sites | links | my 
search for in the  
<HTTP authentication with PHPHandling file uploads>
view the version of this page
Last updated: Thu, 21 Aug 2003

Chapter 17. Cookies

PHP transparently supports HTTP cookies. Cookies are a mechanism for storing data in the remote browser and thus tracking or identifying return users. You can set cookies using the setcookie() function. Cookies are part of the HTTP header, so setcookie() must be called before any output is sent to the browser. This is the same limitation that header() has. You can use the output buffering functions to delay the script output until you have decided whether or not to set any cookies or send any headers.

Any cookies sent to you from the client will automatically be turned into a PHP variable just like GET and POST method data, depending on the register_globals and variables_order configuration variables. If you wish to assign multiple values to a single cookie, just add [] to the cookie name.

In PHP 4.1.0 and later, the $_COOKIE auto-global array will always be set with any cookies sent from the client. $HTTP_COOKIE_VARS is also set in earlier versions of PHP when the track_vars configuration variable is set. (This setting is always on since PHP 4.0.3.)

For more details, including notes on browser bugs, see the setcookie() function.

add a note add a note User Contributed Notes
myfirstname at braincell dot cx
24-Sep-2003 10:47
Just a general comment on Wilton's code snippet: It's generally considered very bad practice to store usernames and/or passwords in cookies, whether or not they're obsfucated.  Many spyware programs make a point of stealing cookie contents.

A much better solution would be to either use the PHP built in session handler or create something similar using your own cookie-based session ID.  This session ID could be tied to the source IP address or can be timed out as required but since the ID can be expired separately from the authentication criteria the authentication itself is not compromised.

Stuart Livings
wilton at intertranet dot com
17-Jul-2003 06:14
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
    if($aid!="" AND $pwd!="") {
    $pwd = md5($pwd);
    $result=sql_query("select pwd, admlanguage from ".$prefix."_authors where aid='$aid'", $dbi);
    list($pass, $admlanguage)=sql_fetch_row($result, $dbi);
    if($pass == $pwd) {
        $admin = base64_encode("$aid:$pwd:$admlanguage");

$admintest = 0;

if(isset($admin) && $admin != "") {
  $admin = base64_decode($admin);
  $admin = explode(":", $admin);
  $aid = "$admin[0]";
  $pwd = "$admin[1]";
  $admlanguage = "$admin[2]";
  if ($aid=="" || $pwd=="") {
    echo "<html>\n";
    echo "<title>Ingreso prohibido</title>\n";
    echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n\n<br><br><br>\n\n";
    echo "<center><img src=\"images/logo.gif\" border=\"0\"><br><br>\n";
    echo "<font face=\"Verdana\" size=\"+4\"><b>Su Ip esta siendo registrada en nuestra base de datos, toda operaci鏮 indebida ser?investigada.<br><br><br>Gerencia Administrativa</b></font></center>\n";
    echo "</body>\n";
    echo "</html>\n";

<HTTP authentication with PHPHandling file uploads>
 Last updated: Thu, 21 Aug 2003
show source | credits | sitemap | mirror sites 
Copyright © 2001-2003 The PHP Group
All rights reserved.
This mirror generously provided by:
Last updated: Sat 01 Nov 2003 04:13:36 EST EST