Cookie update time

Forum Moderators: coopster

Message Too Old, No Replies

Cookie update time

Readie

5:54 pm on Oct 2, 2011 (gmt 0)

Cookies aren't something I use much, but I've decided to start using them as part of my user management system to prevent session theft.

Basically, I store a hash in a cookie and a hash in the session; if they don't match I kill the session data.

If they do match, I regenerate the hash, and reset the cookie to time() + 3600... Except the cookie time doesn't get updated :) The user gets logged out after 60 minutes no matter what.

The essential code for this is as follows:

$security_hash = util::hash($this->user->id . time());
setcookie('security_hash', $security_hash, time() + 3600);
$_COOKIE['security_hash'] = $security_hash;
$_SESSION['user'] = array(
  'id' => $this->user->id,
  'security_hash' => $security_hash
);

Could anyone tell me what I'm doing wrong?

Matthew1980

8:28 pm on Oct 2, 2011 (gmt 0)

Hi there Readie,

Been a while since I posted, but this stikes me as something that I may actually be able to help with!

I personally would reset the cooke, ie, set the 'security_hash' to zero - check that this is physically done - then re-instantiate it with your new data & time.

But by looking at your code, it looks like your trying to rewrite it twice, because the third line doesn't assign time to it, so I *think* as it may resort to default session expiry which depending on your php.ini setup could be 30mins if memory serves.

My apologies if I'm wrong, but VB.net is depleting my braincells, and I'm a bit rusty at php now :)

I just thought I would offer some suggestions there.

Cheers,
MRb

penders

9:01 pm on Oct 2, 2011 (gmt 0)

The time should be updated. But I think you should be specifying a path as the 4th argument. Probably to '/' for the whole domain. If you omit the path then it's going to use the current directory, which I guess could be changing throughout your script, so you might be setting lots of different cookies for different directories with different times?!

I personally would reset the cooke, ie, set the 'security_hash' to zero - check that this is physically done - then re-instantiate it with your new data & time.

You couldn't do this on each request. Since this requires 2 requests. And this would enable the user to bypass any security offered by the hash in the first place. Writing the cookie with the correct value is enough - since it has probably already been established that cookies are enabled and working.

But by looking at your code, it looks like your trying to rewrite it twice, because the third line doesn't assign time to it

The third line doesn't write a cookie, it simply sets a value in the $_COOKIE array. This is required when you need to access the value of the cookie (via the $_COOKIE superglobal) in the same request you are setting the cookie.

Readie

6:13 pm on Oct 3, 2011 (gmt 0)

Cheers for the response guys,

I'll try adding a path into the setcookie and see how that turns out.

And I can guarantee it is setting the cookie and updating the value atleast - if it wasn't doing that the user would instantly be logged out.

Matthew1980

9:22 pm on Oct 7, 2011 (gmt 0)

@penders:

>>But I think you should be specifying a path as the 4th argument. Probably to '/' for the whole domain. If you omit the path then it's going to use the current directory....

Absolutely correct! I had a problem with a script last year that turned out to be this exact issue, the 4th parameter should be set to "/" so that the cookie is valid and accessible throughout the domain.

Hope that you've got it sussed now readie!

Cheers,
MRb

Readie

6:00 pm on Oct 9, 2011 (gmt 0)

No longer experiencing the issue, but I did change hosting provider at the same time as adding the 4th parameter (MySQL on that host was ridiculous. < 0.1 sec load times turned to 20 sec with a mysql_connect()?) - so won't be able to say for certain what fixed it.

Either way, the issue's gone so I'm happy :)