Asked  9 Months ago    Answers:  5   Viewed   53 times

is there a safe way of storing passwords in cookies in php?

or is it not recomended?




This is not recommended...

... even if encrypted. Storing this information on a client machine gives them the opportunity to compare cookies in the hopes of decrypting. Worse they could sniff a cookie from someone else and then masquerade as that user!

What is recommended is having the user login through a secure connection and sending a session cookie in response. The session cookie contains a session id which PHP will automatically map to a session file on the server. You can then store a user id in the session. After a short time, the session should be expired.

Sessions are automatically managed by PHP and you should take advantage of it.

Here's a tutorial on how to use PHP sessions.

Wednesday, March 31, 2021
answered 9 Months ago

One more cautious way of extracting all input fields at once is:

extract( $_POST, EXTR_OVERWRITE, "form_" );

This way all your input variables will be called $form_foo and $form_bar at least. Avoid doing that in the global scope - not because global is evil, but because nobody ever cleans up there.

However, since mostly you do that in a localized scope, you can as well apply htmlentities if for example you need all fields just for output:

extract(array_map("htmlspecialchars", $_POST), EXTR_OVERWRITE, "form_");
Wednesday, March 31, 2021
answered 9 Months ago

Just to demonstrate the power of some of PHP's newer interval handling method (mentioned by pgl in his answer):

$startDate = DateTime::createFromFormat("Y/m/d","2010/12/24",new DateTimeZone("Europe/London"));
$endDate = DateTime::createFromFormat("Y/m/d","2012/01/05",new DateTimeZone("Europe/London"));

$periodInterval = new DateInterval( "P1D" ); // 1-day, though can be more sophisticated rule
$period = new DatePeriod( $startDate, $periodInterval, $endDate );

foreach($period as $date){
   echo $date->format("Y-m-d") , PHP_EOL;

Does require PHP >= 5.3.0


If you need to include the actual end date, then you need to add a day to $endDate immediately before the foreach() loop:

$endDate->add( $periodInterval );


$startDate = new DateTime("2010/12/24",new DateTimeZone("Europe/London"));
$endDate = new DateTime("2012/01/05",new DateTimeZone("Europe/London"));

do {
   echo $startDate->format("Y-m-d") , PHP_EOL;
   $startDate->modify("+1 day");
} while ($startDate <= $endDate);

For PHP 5.2.0 (or earlier if dateTime objects are enabled)

Wednesday, March 31, 2021
answered 9 Months ago

You're supposed to give a UNIX timestamp of when the cookie will expired (calculated since the epoch) as the third argument to the function call.

The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. In other words, you'll most likely set this with the time() function plus the number of seconds before you want it to expire. Or you might use mktime(). time()+60*60*24*30 will set the cookie to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).

I suggest you read the documentation for setcookie.

Saturday, May 29, 2021
answered 7 Months ago

Make sure you have a domain that is known by both server and client. echo $_SERVER['HTTP_HOST'] should tell you the exact same domain that your browser has. If not, cookie will not be accepted by the browser.

Make sure your server and client time is perfectly correct. Browser will reject a cookie with a wrong datetime.

Do not write any other code and just do:

$cookie_name = "user";
$cookie_value = "John Doe";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day 
// expiration
echo date("H:i:s d.m.Y")."<br>";
echo $_SERVER['HTTP_HOST']."<br>";

and refresh the page twice.

Also check out manual at:

Saturday, May 29, 2021
answered 7 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :