Weird Problem with set-cookie & get cookie. Please help

[gnome]

I have this code under the head tag of a login page.
I wonder why can't the set-cookie function do not recognize the variable? <see in the red font>
I also tried to replace it with the "tablename.fieldname" the table seems to be not available while it is available outside the Procedure output-headers? Is there a better way to implement this?

Your help will be much appreciated.. Thanx in advance

If get-cookie('username_cookie') = "" AND get-value("username") <> '' then DO:
    find first users where users.username = get-value("username")
                     and users.password = encode(get-value("password")) no-lock no-error.
        IF avail users THEN do:
            ASSIGN cusername = users.username.
            PROCEDURE output-headers :
              set-cookie("username_cookie",cusername, ?, ?, ?, ?, ?).
            END PROCEDURE.
      </script>          
          <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
          <a>Cookie is`get-cookie("username_cookie")`</a>
       <script language="SpeedScript">                    
        end.
  END.

 

[blue92]

It's been a couple weeks, so you've probably figured this out by now, but the problem is probably with your procedure declaration:

PROCEDURE output-headers :
set-cookie("username_cookie",cusername, ?, ?, ?, ?, ?).
END PROCEDURE.

The procedure definition means you're just defining procedure "output-headers", not executing it within the "DO" block. This procedure (usually) executes prior to any HTML output, so you probably meant to do something more like this:

PROCEDURE output-headers :
[INDENT]if get-cookie('username_cookie') = "" AND 
  get-value("username") <> '' then do:
[INDENT]find first users where users.username = get-value("username") and
    users.password = encode(get-value("password")) no-lock no-error.
IF avail users THEN
[INDENT]set-cookie("username_cookie",users.username, ?, ?, ?, ?, ?).
[/INDENT][/INDENT]END.
[/INDENT]END PROCEDURE.

Strictly speaking you'd need more and better logic than this for a secure login. Using a plaintext username for a cookie is really, really bad -- anybody can guess a username and forge the cookie, bypassing the password check completely! At absolute minimum you can at least do something like "encode(users.username)". Better yet is to keep track of a session-unique cookie value, like "encode(users.username + string(now))". Of course you have to add a field and index to your users table to support this...

 

[gnome]

Hi Blue,

I was really waiting for a reply like this, thanks. It's just my first project for a web application and also my first experience in web programming, so I'm still adjusting and researching for ways of implementing something. Actually, I haven't figured it out yet until now but I have moved on more important modules. I wonder if this will resolve browser caching... I think I have to post it on a New Topic. Hope to catch you there.

Thanks