[SOLVED]php Cookies and Sessions.

[Martyj]

I have a question about cookies and sessions, as given by the title.

I am currently working on a part of a website that allows people with the right access change information on the website. Currently the website uses sessions to pass information to other pages and to verify the user. My question is, if I change from a session to a cookie will it open a security risk. For example, would someone be able to re create the cookie on another page and gain access to the web page or is the cookie server specific.

Currently the Session only holds the username and not the password or any other information. So if it is a security risk would I need to pass the password encrypted with the cookie and check the information for each page, or will it be fine and pose no security risk.

The reason I want to switch to cookies is because they expire. I want to force the users who view the page to sign in. I'm too lazy to have it update the data base with the date each time they refresh so I have it for every time someone logs in, it updates the time in the data base. I'm a lazy web developer :P

So yea some information on this would be most appreciated.

[wtetzner]

I have a question about cookies and sessions, as given by the title.

I am currently working on a part of a website that allows people with the right access change information on the website. Currently the website uses sessions to pass information to other pages and to verify the user. My question is, if I change from a session to a cookie will it open a security risk. For example, would someone be able to re create the cookie on another page and gain access to the web page or is the cookie server specific.

Currently the Session only holds the username and not the password or any other information. So if it is a security risk would I need to pass the password encrypted with the cookie and check the information for each page, or will it be fine and pose no security risk.

The reason I want to switch to cookies is because they expire. I want to force the users who view the page to sign in. I'm too lazy to have it update the data base with the date each time they refresh so I have it for every time someone logs in, it updates the time in the data base. I'm a lazy web developer :P

So yea some information on this would be most appreciated.

PHP sessions use cookies. To set the lifetime of the session cookie, use the session_set_cookie_params function: http://us.php.net/manual/en/function.se ... params.php

[Martyj]

Ok so how you would use this would be like

session_set_cookie_params (time() - 3600 ," /" ,"http://www.evilchicken.net", false , false )
session_start();

like that?

[wtetzner]

Ok so how you would use this would be like

session_set_cookie_params (time() - 3600 ," /" ,"http://www.evilchicken.net", false , false )
session_start();

like that?

Honestly I've never used it. I just assumed sessions used cookies, and did a quick Google search to confirm.
The function description is

Code: Select all

void session_set_cookie_params  ( int $lifetime  [, string $path  [, string $domain  [, bool $secure= false  [, bool $httponly= false  ]]]]

so all of the parameters are optional except for $lifetime.

I'm not sure why you're doing "time() - 3600". $lifetime is how long the cookie will last before expiring.
So if you wanted the length of a session to be 20 minutes, you would do

Code: Select all

$expireTime = 20*60;
session_set_cookie_params($expireTime);
session_start();

[dandymcgee]

I'm a lazy web developer :P

Security Risk.

[gordon]

As I understand it using sessions without quite a bit of php knowledge is a security risk in its self, it requires some work to prevent session hijacking and other troublesome things...

[Martyj]

Ok I switched over to cookies. You can close this topic or whatever.

[MarauderIIC]

If you would edit the topic name to have [SOLVED] at the start, that would be nice. If you find anything else on this topic, feel free to add to it so that way I can just paste a post URL to the next person to ask :)