I have a question about cookies and sessions, as given by the title.
I am currently working on a part of a website that allows people with the right access change information on the website. Currently the website uses sessions to pass information to other pages and to verify the user. My question is, if I change from a session to a cookie will it open a security risk. For example, would someone be able to re create the cookie on another page and gain access to the web page or is the cookie server specific.
Currently the Session only holds the username and not the password or any other information. So if it is a security risk would I need to pass the password encrypted with the cookie and check the information for each page, or will it be fine and pose no security risk.
The reason I want to switch to cookies is because they expire. I want to force the users who view the page to sign in. I'm too lazy to have it update the data base with the date each time they refresh so I have it for every time someone logs in, it updates the time in the data base. I'm a lazy web developer :P
So yea some information on this would be most appreciated.
[SOLVED]php Cookies and Sessions.
Moderator: Coders of Rage
[SOLVED]php Cookies and Sessions.
Last edited by Martyj on Wed May 06, 2009 1:03 pm, edited 1 time in total.
- wtetzner
- Chaos Rift Regular
- Posts: 159
- Joined: Wed Feb 18, 2009 6:43 pm
- Current Project: waterbear, GBA game + editor
- Favorite Gaming Platforms: Game Boy Advance
- Programming Language of Choice: OCaml
- Location: TX
- Contact:
Re: php Cookies and Sessions.
PHP sessions use cookies. To set the lifetime of the session cookie, use the session_set_cookie_params function: http://us.php.net/manual/en/function.se ... params.phpMartyj wrote:I have a question about cookies and sessions, as given by the title.
I am currently working on a part of a website that allows people with the right access change information on the website. Currently the website uses sessions to pass information to other pages and to verify the user. My question is, if I change from a session to a cookie will it open a security risk. For example, would someone be able to re create the cookie on another page and gain access to the web page or is the cookie server specific.
Currently the Session only holds the username and not the password or any other information. So if it is a security risk would I need to pass the password encrypted with the cookie and check the information for each page, or will it be fine and pose no security risk.
The reason I want to switch to cookies is because they expire. I want to force the users who view the page to sign in. I'm too lazy to have it update the data base with the date each time they refresh so I have it for every time someone logs in, it updates the time in the data base. I'm a lazy web developer :P
So yea some information on this would be most appreciated.
The novice realizes that the difference between code and data is trivial. The expert realizes that all code is data. And the true master realizes that all data is code.
Re: php Cookies and Sessions.
Ok so how you would use this would be like
session_set_cookie_params (time() - 3600 ," /" ,"http://www.evilchicken.net", false , false )
session_start();
like that?
session_set_cookie_params (time() - 3600 ," /" ,"http://www.evilchicken.net", false , false )
session_start();
like that?
- wtetzner
- Chaos Rift Regular
- Posts: 159
- Joined: Wed Feb 18, 2009 6:43 pm
- Current Project: waterbear, GBA game + editor
- Favorite Gaming Platforms: Game Boy Advance
- Programming Language of Choice: OCaml
- Location: TX
- Contact:
Re: php Cookies and Sessions.
Honestly I've never used it. I just assumed sessions used cookies, and did a quick Google search to confirm.Martyj wrote:Ok so how you would use this would be like
session_set_cookie_params (time() - 3600 ," /" ,"http://www.evilchicken.net", false , false )
session_start();
like that?
The function description is
Code: Select all
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure= false [, bool $httponly= false ]]]]
I'm not sure why you're doing "time() - 3600". $lifetime is how long the cookie will last before expiring.
So if you wanted the length of a session to be 20 minutes, you would do
Code: Select all
$expireTime = 20*60;
session_set_cookie_params($expireTime);
session_start();
The novice realizes that the difference between code and data is trivial. The expert realizes that all code is data. And the true master realizes that all data is code.
- dandymcgee
- ES Beta Backer
- Posts: 4709
- Joined: Tue Apr 29, 2008 3:24 pm
- Current Project: https://github.com/dbechrd/RicoTech
- Favorite Gaming Platforms: NES, Sega Genesis, PS2, PC
- Programming Language of Choice: C
- Location: San Francisco
- Contact:
Re: php Cookies and Sessions.
Security Risk.I'm a lazy web developer :P
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches!
Re: php Cookies and Sessions.
As I understand it using sessions without quite a bit of php knowledge is a security risk in its self, it requires some work to prevent session hijacking and other troublesome things...
Re: php Cookies and Sessions.
Ok I switched over to cookies. You can close this topic or whatever.
- MarauderIIC
- Respected Programmer
- Posts: 3406
- Joined: Sat Jul 10, 2004 3:05 pm
- Location: Maryland, USA
Re: php Cookies and Sessions.
If you would edit the topic name to have [SOLVED] at the start, that would be nice. If you find anything else on this topic, feel free to add to it so that way I can just paste a post URL to the next person to ask :)
I realized the moment I fell into the fissure that the book would not be destroyed as I had planned.