On Sun, Aug 7, 2011 at 3:11 PM, Richard Riley <rile...@googlemail.com>wrote:

> Andre Polykanine <an...@oire.org> writes:
> > Hello alekto,
> >
> >             I've got several notes to point out:
> > 1. You can't do neither a header(), nor a SetCookie() after any echo
> > on the page. The out-of-php pieces of the page included.
> Not true.
> See ob_start and family.
> Yes, but it is better form to make sure there is no output before your
header or setcookie commands. This makes your code more portable. Your code
will need some restructuring, though.

I did notice some other issues in your code, however. You delete the cookies
in the beginning if they are set. This is probably what was killing your
remember me function.

But on a much more serious note, this script is full of security holes.
Unhashed passwords in the DB and cookies is just asking for trouble. Plus,
if you're using sessions, you should just use the session cookie to remember
a login. It's safer than storing a password in a cookie.

Sent from my PC.

Reply via email to