Forum Moderators: phranque
They can pick up this cookie if they visit web page B.
That is the viewer can only view web page A if they have been to web page B previously.
Is there anyway to cheat this system so that one can look at web page A without previously having been to web page B?
That is assuming disabling cookies is not an option.
Could the user maybe somehow put a cookie on their browser and call it "Camb"? Can cookies be faked like this? Is a cookie just a name and so can be faked so easily like this - just by putting a cookie with the same name on the browser? Or is there more to them?
Would so appreciate some help with this. Many thanks,
Do you know the contents of the cookie? If so, you could do it.
Also, make sure the contents are not easily fakable. An obvious serial number is fakable. A long string of seeming random letters and numbers is not.
When you get the cookie back, make sure the contents is something you sent....Keep a small file/database. Purge old cookies every few days (unless you are expecting long-term visitors).
That's still not air-tight -- visitors could share cookies; but it is as close as you can get using cookies alone.
<waving 'hi rhodospin! />, so I'll give you an example in php.
On Page B:
<?php
session_cache_expire(10); /* you want to make this session only good for 10 minutes */
session_start();
$_SESSION['camb'] = '1';
?>
session_cache_expire(10);
session_start();
if(empty($_SESSION['camb'])) echo 'please visit page B at mysite.com/PageB, then you can see page A';
else {
/* the page output for people allowed to see page B */
}
Setting a session will set a session id cookie that has the value of a highly unique string. The info as to what this string corresponds to (whether
$_SESSION['camb']is set or not) is contained on your server. This info is destroyed when the session is destroyed, or the cookie isn't valid any more, and is determined by your session's term of validity. If a user's browser can't accept cookies, a unique id is placed in the url instead that the scripting language receives in
GETformat and processes accordingly to provide your session values.
Sessions are a way of getting lots of cross-page data with only one cookie (or url extension). If you don't like the url version, and only want to use cookies, look at your favorite script's page on sessions to find out how to do this.
You can spoof cookies? My understanding is that cookies can only be read by the domain that created them. . .In which case the name of the cookie is completly irrelevent when speaking outside the domain that "baked" it. I could be wrong but. . .
Is this logic misplaced?
The thing is mate that i would like to keep this javascript cause i want to use it on a cheapo server which wont necesaarily have php. Know that this is bad idea going with such bad server - but it fits my aims at the moment.
