8.10. Using Cookie Authentication
Problem
You want more control over the user login procedure, such as presenting your own login form.
Solution
Store authentication status in a cookie or as part of a session. When a user logs in successfully, put their username in a cookie. Also include a hash of the username and a secret word so a user can’t just make up an authentication cookie with a username in it:
$secret_word = 'if i ate spinach'; if (pc_validate($_REQUEST['username'],$_REQUEST['password'])) { setcookie('login', $_REQUEST['username'].','.md5($_REQUEST['username'].$secret_word)); }
Discussion
When using cookie authentication, you have to display your own login form:
<form method="post" action="login.php"> Username: <input type="text" name="username"> <br> Password: <input type="password" name="password"> <br> <input type="submit" value="Log In"> </form>
You can use the same pc_validate( )
function from the Recipe 8.10 to verify the
username and password. The only difference is that you pass it
$_REQUEST['username']
and
$_REQUEST['password']
as the credentials instead
of $_SERVER['PHP_AUTH_USER']
and
$_SERVER['PHP_AUTH_PW']
. If the password checks
out, send back a cookie that contains a username and a hash of the
username, and a secret word. The hash prevents a user from faking a
login just by sending a cookie with a username in it.
Once the user has logged in, a page just needs to verify that a valid login cookie was sent in order to do special things for that logged-in user: ...
Get PHP Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.