homepage Welcome to WebmasterWorld Guest from 54.161.155.142
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Cookie update time
Readie




msg:4369800
 5:54 pm on Oct 2, 2011 (gmt 0)

Cookies aren't something I use much, but I've decided to start using them as part of my user management system to prevent session theft.

Basically, I store a hash in a cookie and a hash in the session; if they don't match I kill the session data.

If they do match, I regenerate the hash, and reset the cookie to time() + 3600... Except the cookie time doesn't get updated :) The user gets logged out after 60 minutes no matter what.

The essential code for this is as follows:
$security_hash = util::hash($this->user->id . time());
setcookie('security_hash', $security_hash, time() + 3600);
$_COOKIE['security_hash'] = $security_hash;
$_SESSION['user'] = array(
'id' => $this->user->id,
'security_hash' => $security_hash
);

Could anyone tell me what I'm doing wrong?

 

Matthew1980




msg:4369841
 8:28 pm on Oct 2, 2011 (gmt 0)

Hi there Readie,

Been a while since I posted, but this stikes me as something that I may actually be able to help with!

I personally would reset the cooke, ie, set the 'security_hash' to zero - check that this is physically done - then re-instantiate it with your new data & time.

But by looking at your code, it looks like your trying to rewrite it twice, because the third line doesn't assign time to it, so I *think* as it may resort to default session expiry which depending on your php.ini setup could be 30mins if memory serves.

My apologies if I'm wrong, but VB.net is depleting my braincells, and I'm a bit rusty at php now :)

I just thought I would offer some suggestions there.

Cheers,
MRb

penders




msg:4369858
 9:01 pm on Oct 2, 2011 (gmt 0)

The time should be updated. But I think you should be specifying a path as the 4th argument. Probably to '/' for the whole domain. If you omit the path then it's going to use the current directory, which I guess could be changing throughout your script, so you might be setting lots of different cookies for different directories with different times?!

I personally would reset the cooke, ie, set the 'security_hash' to zero - check that this is physically done - then re-instantiate it with your new data & time.


You couldn't do this on each request. Since this requires 2 requests. And this would enable the user to bypass any security offered by the hash in the first place. Writing the cookie with the correct value is enough - since it has probably already been established that cookies are enabled and working.

But by looking at your code, it looks like your trying to rewrite it twice, because the third line doesn't assign time to it


The third line doesn't write a cookie, it simply sets a value in the $_COOKIE array. This is required when you need to access the value of the cookie (via the $_COOKIE superglobal) in the same request you are setting the cookie.

Readie




msg:4370213
 6:13 pm on Oct 3, 2011 (gmt 0)

Cheers for the response guys,

I'll try adding a path into the setcookie and see how that turns out.

And I can guarantee it is setting the cookie and updating the value atleast - if it wasn't doing that the user would instantly be logged out.

Matthew1980




msg:4372089
 9:22 pm on Oct 7, 2011 (gmt 0)

@penders:

>>But I think you should be specifying a path as the 4th argument. Probably to '/' for the whole domain. If you omit the path then it's going to use the current directory....

Absolutely correct! I had a problem with a script last year that turned out to be this exact issue, the 4th parameter should be set to "/" so that the cookie is valid and accessible throughout the domain.

Hope that you've got it sussed now readie!

Cheers,
MRb

Readie




msg:4372417
 6:00 pm on Oct 9, 2011 (gmt 0)

No longer experiencing the issue, but I did change hosting provider at the same time as adding the 4th parameter (MySQL on that host was ridiculous. < 0.1 sec load times turned to 20 sec with a mysql_connect()?) - so won't be able to say for certain what fixed it.

Either way, the issue's gone so I'm happy :)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved