[SOLVED]php Cookies and Sessions.

Whether you're a newbie or an experienced programmer, any questions, help, or just talk of any language will be welcomed here.

Moderator: Coders of Rage

Post Reply
Martyj
Chaos Rift Newbie
Chaos Rift Newbie
Posts: 20
Joined: Thu Apr 23, 2009 11:23 am
Location: Ogden Utah
Contact:

[SOLVED]php Cookies and Sessions.

Post by Martyj »

I have a question about cookies and sessions, as given by the title.

I am currently working on a part of a website that allows people with the right access change information on the website. Currently the website uses sessions to pass information to other pages and to verify the user. My question is, if I change from a session to a cookie will it open a security risk. For example, would someone be able to re create the cookie on another page and gain access to the web page or is the cookie server specific.

Currently the Session only holds the username and not the password or any other information. So if it is a security risk would I need to pass the password encrypted with the cookie and check the information for each page, or will it be fine and pose no security risk.

The reason I want to switch to cookies is because they expire. I want to force the users who view the page to sign in. I'm too lazy to have it update the data base with the date each time they refresh so I have it for every time someone logs in, it updates the time in the data base. I'm a lazy web developer :P

So yea some information on this would be most appreciated.
Last edited by Martyj on Wed May 06, 2009 1:03 pm, edited 1 time in total.
User avatar
wtetzner
Chaos Rift Regular
Chaos Rift Regular
Posts: 159
Joined: Wed Feb 18, 2009 6:43 pm
Current Project: waterbear, GBA game + editor
Favorite Gaming Platforms: Game Boy Advance
Programming Language of Choice: OCaml
Location: TX
Contact:

Re: php Cookies and Sessions.

Post by wtetzner »

Martyj wrote:I have a question about cookies and sessions, as given by the title.

I am currently working on a part of a website that allows people with the right access change information on the website. Currently the website uses sessions to pass information to other pages and to verify the user. My question is, if I change from a session to a cookie will it open a security risk. For example, would someone be able to re create the cookie on another page and gain access to the web page or is the cookie server specific.

Currently the Session only holds the username and not the password or any other information. So if it is a security risk would I need to pass the password encrypted with the cookie and check the information for each page, or will it be fine and pose no security risk.

The reason I want to switch to cookies is because they expire. I want to force the users who view the page to sign in. I'm too lazy to have it update the data base with the date each time they refresh so I have it for every time someone logs in, it updates the time in the data base. I'm a lazy web developer :P

So yea some information on this would be most appreciated.
PHP sessions use cookies. To set the lifetime of the session cookie, use the session_set_cookie_params function: http://us.php.net/manual/en/function.se ... params.php
The novice realizes that the difference between code and data is trivial. The expert realizes that all code is data. And the true master realizes that all data is code.
Martyj
Chaos Rift Newbie
Chaos Rift Newbie
Posts: 20
Joined: Thu Apr 23, 2009 11:23 am
Location: Ogden Utah
Contact:

Re: php Cookies and Sessions.

Post by Martyj »

Ok so how you would use this would be like

session_set_cookie_params (time() - 3600 ," /" ,"http://www.evilchicken.net", false , false )
session_start();

like that?
User avatar
wtetzner
Chaos Rift Regular
Chaos Rift Regular
Posts: 159
Joined: Wed Feb 18, 2009 6:43 pm
Current Project: waterbear, GBA game + editor
Favorite Gaming Platforms: Game Boy Advance
Programming Language of Choice: OCaml
Location: TX
Contact:

Re: php Cookies and Sessions.

Post by wtetzner »

Martyj wrote:Ok so how you would use this would be like

session_set_cookie_params (time() - 3600 ," /" ,"http://www.evilchicken.net", false , false )
session_start();

like that?
Honestly I've never used it. I just assumed sessions used cookies, and did a quick Google search to confirm.
The function description is

Code: Select all

void session_set_cookie_params  ( int $lifetime  [, string $path  [, string $domain  [, bool $secure= false  [, bool $httponly= false  ]]]]
so all of the parameters are optional except for $lifetime.

I'm not sure why you're doing "time() - 3600". $lifetime is how long the cookie will last before expiring.
So if you wanted the length of a session to be 20 minutes, you would do

Code: Select all

$expireTime = 20*60;
session_set_cookie_params($expireTime);
session_start();
The novice realizes that the difference between code and data is trivial. The expert realizes that all code is data. And the true master realizes that all data is code.
User avatar
dandymcgee
ES Beta Backer
ES Beta Backer
Posts: 4709
Joined: Tue Apr 29, 2008 3:24 pm
Current Project: https://github.com/dbechrd/RicoTech
Favorite Gaming Platforms: NES, Sega Genesis, PS2, PC
Programming Language of Choice: C
Location: San Francisco
Contact:

Re: php Cookies and Sessions.

Post by dandymcgee »

I'm a lazy web developer :P
Security Risk. :roll:
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches! :twisted:
gordon
Chaos Rift Cool Newbie
Chaos Rift Cool Newbie
Posts: 60
Joined: Mon May 04, 2009 2:38 pm

Re: php Cookies and Sessions.

Post by gordon »

As I understand it using sessions without quite a bit of php knowledge is a security risk in its self, it requires some work to prevent session hijacking and other troublesome things...
Martyj
Chaos Rift Newbie
Chaos Rift Newbie
Posts: 20
Joined: Thu Apr 23, 2009 11:23 am
Location: Ogden Utah
Contact:

Re: php Cookies and Sessions.

Post by Martyj »

Ok I switched over to cookies. You can close this topic or whatever.
User avatar
MarauderIIC
Respected Programmer
Respected Programmer
Posts: 3406
Joined: Sat Jul 10, 2004 3:05 pm
Location: Maryland, USA

Re: php Cookies and Sessions.

Post by MarauderIIC »

If you would edit the topic name to have [SOLVED] at the start, that would be nice. If you find anything else on this topic, feel free to add to it so that way I can just paste a post URL to the next person to ask :)
I realized the moment I fell into the fissure that the book would not be destroyed as I had planned.
Post Reply