Jump to content
Larry Ullman's Book Forums

question on chapter 13

Recommended Posts

there is a function isadministrator() in an includes file which checks for the existence of a certain cookie, yet in the footer there are   exceptions in his logic for the login and logout page.

can someone please go over with me why its not working on these two pages:
on login.php : basically when the pass and user is correct the server sends a cookie to the client but its not available to be read right away unless you refresh the page?

on logout,php:
destroys the cookie by setting it to false and its time in the past…
so then why wouldnt isadministrator work? why does the browser still think the cookie exists? is this the same reason as on login.php page?


Link to comment
Share on other sites

Yes, you're on the right path. And the concepts are a bit confusing. Remember that cookies are sent back and forth between the server and the browser. The $_COOKIES array is populated by the browser sending cookies back to the server.

On the login page, the PHP script sets the cookie which means the cookie doesn't exist when the page is first loaded (i.e., it's not sent from the browser to the server upon login submission). So the logic has to factor in that the login page DOESN'T have the cookie, despite actually setting the cookie. Conversely, the cookie exists on the logout page when the page is first loaded but is then deleted (i.e., the cookie is sent from the browser to the server when accessing the logout script). This means the logic has to factor in that the cookie DOES exist upon first running the page. 

It probably also helps to remember that the includes become part of the page that included them. So when login.php is run without receiving a cookie from the browser, the included file also don't receive that cookie. (In other words, the execution of the included file is not a separate request from the browser.)

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...

Your explanation clarified this for me thank you. And It makes alot of sense now. 

However can you please give your opinion on this thread : 


The first explanation makes sense he says that if you want immediate access, then you would do the following:

setcookie('uname', $uname, time()+60*30);
$_COOKIE['uname'] = $uname;

This would be manually setting it, and I was curious why the method you outlined is better because if we used this, then we can modify that extra piece of validation code in the footer that checks if the page we are on is not login or logout. So setting it manually would be less secure? 

Edited by kravmaguy
adding information
Link to comment
Share on other sites

The second line is not actually manually setting the cookie, it's manually assigning a value to an element in the $_COOKIE array so that you can refer to it later in the script. I wouldn't say this approach is less secure necessarily, but it's a bit of an artificial workaround (by that I mean it allows you to refer to a $_COOKIE variable before it should have a value). 

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...