Check out Scrivo

Do you want to try out Scrivo? Then here's a demo for you that does not just get your feet wet but lets you plunge right in.

Contact us

For more information, please contact us. We're happy to help you out!

Next Oct 2 Previous

Remembering passwords

This is an excerpt from a log-in procedure. What is not correct (given that the User class exists and works propery)?

<?php

    ...

    $user = new User($pdo, $_POST["usercode"]);

    if ($user->checkPassword($_POST["password"])) {

        $_SESSION["authenticated"] = true;

        if (isset($_POST["save_credentials"])) {
            $_COOKIE["password"] = $_POST["password"];
            $_COOKIE["usercode"] = $_POST["usercode"];
        }

    }

    ...

?>

A: The password data should have been encrypted before storing it in a cookie
B: the superglobal $_COOKIE cannot be used this way.
C: No cookies will be set.
D: Nothing as long as the user is not using IE 8 or worse.
E: You still need to send a redirect to commit the cookie.

Choose all that apply.

Answer

Answer A is definitely correct: the user trusts the application with sensitive data and the first thing the application does is to try do dump it in plain text format on the users computer. That's not very decent to say the least.

Luckily this attempt fails because the cookie will not be set: you'll need to use setcookie(), setrawcookie() or header() for that. You only can use the superglobal $_COOKIE to retrieve cookie values, not to set them. You can however use the $_COOKIE superglobal like this at your hearts desire. No warnings or errors will be raised; it's perfectly legal in PHP but don't expect any cookies to be set. So answer C is true too and answer B is false.

Commits and redirects don't have anything to do with cookies, so this answer not correct. And IE 8 was not that bad a browser (but pretty close, though).