You're being overly picky for no reason.
I'm criticizing his code and trying to help him learn how to better implement his ideas in PHP. I'm not trying to be mean or anything.
Secondly, md5 blows. Change them to SHA1.
In this context, md5 vs sha1 makes absolutely no difference.
md5 is infitely easier to collide than sha1, and if someone hijacked an admin cookie, they could easily log in as the superuser.
You should also call error_reporting(E_ALL) and do an isset() check on your get variables.
Useful advice for developing, in general, but he's releasing the software so setting it to E_ALL would be annoying for others.
I keep E_ALL on on all of my projects, and trap the errors, though it is just personal preference.
You should also set a cookie expiration date. Setting cookies good until the browser closes is a stupid thing to do, and can be replaced by the $_SESSION superglobal (that's what it was made for).
That's true, but then this wouldn't be a demonstration of cookies, would it? There's nothing wrong with a login cookie expiring at close, even if session is better. It's definitly not "stupid".
I'm just saying it would be a more effective demonstration of cookies if he did something that only cookies could do, like carrying a login over multiple sessions.
Nextly, you should return all of your strings, and never print from functions, unless you're doing OOP (which you're not).
Both ways are fine.
Gah..I supposed, but it bugs me.
Furthermore, hange the password box to a password type.
Again: demonstration.
It's what the "password" type is for.
You have a problem:
Cookie: a722c63db8ec8625af6cf71cb8c2d939 test1
Logged in as test1
Account doesn't exist.
I can't be logged in with a non-existant account. It doesn't make sense. You could be tracing these problems out with error_reporting(E_ALL);
You don't have to be an asshole when you report a bug.
Wasn't trying to be. I was just pointing out that something went wrong and conflicting messages were printed. Anyway, that "could" is should*, my bad.
