Creating cookies in php

Ok I get it now,

PHP is flexible. You can either separate your html from your logic or serve it all in one page. You will get arguments about what is the "proper" way to handle this, but ultimately it has to do with your own preference and how you plan on handling the code in the future.

Personally, on a tiny project I would have the logic and html for the login page in one file...

login.php:

<?php
/* These are our valid username and passwords */
$user = 'jonny4';
$pass = 'delafoo';
$error = null;
if (isset($_POST['username']) && isset($_POST['password')) {
 if (($_POST['username'] == $user) && ($_POST['password'] == $pass)) { 
 if (isset($_POST['rememberme'])) {
 /* Set cookie to last 1 year */
 setcookie('username', $_POST['username'], time()+60*60*24*365, '/account', 'www.example.com');
 setcookie('password', md5($_POST['password']), time()+60*60*24*365, '/account', 'www.example.com');
 } else {
 /* Cookie expires when browser closes */
 setcookie('username', $_POST['username'], false, '/account', 'www.example.com');
 setcookie('password', md5($_POST['password']), false, '/account', 'www.example.com');
 }
 header('Location: index.php');
 exit;
 } else {
 $error = 'Username/Password Invalid';
 }
} else {
 $error = 'You must supply a username and password.';
}
?>
<html>
<head>
<title>User Logon</title>
</head>
<body>
 <h2>User Login </h2>
 <?php echo $error ? $error.'<br>' : ''; ?>
 <form name="login" method="post" action="login.php">
 Username: <input type="text" name="username"><br>
 Password: <input type="password" name="password"><br>
 Remember Me: <input type="checkbox" name="rememberme" value="1"><br>
 <input type="submit" name="submit" value="Login!">
 </form>
</body>
</html>

index.php:

<?php
/* These are our valid username and passwords */
$user = 'jonny4';
$pass = 'delafoo';
if (isset($_COOKIE[['username']) && isset($_COOKIE['password')) {
 if (($_POST['username'] != $user) || ($_POST['password'] != md5($pass))) { 
 header('Location: login.php');
 exit;
 } else {
 echo 'Welcome back ' . $_COOKIE['username'];
 }
} else {
 header('Location: login.php');
 exit;
}
?>

If you're going serious, I would look into MVC (model view controller) and OOP (object oriented programming) to see how proper it can be. But for basic things, there's nothing particularly wrong with the login being handled at the top of a view like in this example.

From my perspective - working for a web firm - I absolutely hate it when I inherit a project from a new client and the old programmer separated everything they possibly could into a new file. The term "right tool for the job" can also apply to the basic approach to a project. In some cases, a site is so small it would be a huge waste of time to work it through a framework or set up an elaborate file system. It all depends on your needs, which will become clear with experience.

One thing's for sure - everyone that said storing usernames and passwords in cookies is a bad idea is absolutely correct. Usually you do something like store a unique ID and cross reference that with a database to pull the relevant user info. That way your data can't be hijacked by any novice hack or idiot leaving their cookies open on their desktop.

May be typo in validating page and compare values against cookies not the POST superglobals.

if (isset($_COOKIE['username'],$_COOKIE['password'])) {
 if ($_COOKIE['username'] == $user && $_COOKIE['password'] == md5($pass)) { 
 echo 'Welcome back ' . $_COOKIE['username'];
 } else {
 header('Location: login.html'); 
 }
} else {
 header('Location: login.html');
}

This is another way of doing it, try this.

<?php
/* These are our valid username and passwords */
$user = 'jonny4';
$pass = 'delafoo';
if (isset($_COOKIE[['username']) && isset($_COOKIE['password')) {
 if (($_POST['username'] != $user) || ($_POST['password'] != md5($pass))) { 
 header('Location: login.php');
 exit;
 } else {
 echo 'Welcome back ' . $_COOKIE['username'];
 }
 } else {
 header('Location: login.php');
 exit;
 }
 ?>