So I'm using cookies to identify a user and prevent someone who isn't logged in access. This is the check code for the page
if (!isset($_COOKIE['username']) && !isset($_COOKIE['password']))
{
header("location:clientlogin.php");
}
However, this is only half of the check. Here is my problem. My url is formated like this
site.com/?Client=$Client&Product=$Product
Now before I do anything, I wanna make sure that the cookie username matches the info in the link. I have to grab info from the DB first I think, because $Client is last name while username is E-mail column. I've tried comparison of cookies, I just fail at it.
Second, I want to prevent url tampering, as current setup allows anyone to change $Client and $Product and get information that doesn't belong to them. However, whenever I insert a check like this:
if($Client != $LastName)
{
header("location:clientlogin.php");
}
Where I already have $Client (page starts with GET) it creates a redirect loop and I can't login. Each time I log in and get redirected to that page, I get back to clienlogin.php I'm guessing if I can compare the cookie username (it lasts a year by the way) to the actual data, I might be able to solve both problems?
I hope I provided enough info, and would be cool if you went easy on me, this is a first project I'm learning on.
Thank you!
@DaveChen: there is not a single framework I have ever come across (in any scripting language), nor a single well-known website I have ever logged in to, that stores the user's password in an unencrypted cookie. This is by far the most dangerous thing you can do to your user. Even with SSL and httponly option set on the cookie (to mitigate against JavaScript XSS attacks), it's just a very, very bad idea.
The closest "proper" method to accomplish what you're trying to do would be to encrypt the cookie contents. The best method, the one that almost every sane website uses, is to not store any session data client-side at all. The client's cookie contains nothing more than a randomly generated (difficult to brute-force) session id - all the data itself is stored on the server, whether in a database, session file, or caching server.
You would be best advised to use php's built-in sessions. Start by reading the entire reference for php sessions. By default, php stores sessions in temporary files on the server - the client only gets a session id.
To provide a partial answer to your question about securing a single user's data from other users' eyes, you would not put 'Client' in the query string (url) at all. Instead, you do a lookup in the database for the 'Product' from the url, and the 'Client' value that you retrieve from the session. So your url would become site.com/?Product=$Product and you use the 'Client' value from the session, and run a database query that checks for both values at the same time (to make sure the product belongs to the client who is logged in) - something like SELECT * FROM products where client_id = ? AND product_id = ?.
For a start DO NOT STORE a persons password in a cookie.
It is so easy to nab that information. Use sessions instead. see here