I am trying to set a cookie with false in the secure parameter but when it is sent it always says secure/true. What could be causing my cookie setting to ignore that parameter?
setcookie( 'TEST', 'Testing', 0, C_PATH, C_DOMAIN, false );
Header:
Set-Cookie: TEST=Testing; path=/;HttpOnly;Secure
You also have the HttpOnly flag set - which is not on by default in PHP either. So it might be that these are added by your web server or something else between the client and PHP. Because PHP has no way of enabling these flags by default, you always have to set them explicitely for every setcookie call.
Yet I would recommend using both of them if you use them for PHP.
Related
This issue appeared today and it seems to have something to do with webkit.
On pages that redirect via location [301/302] HTTP headers (404 error pages in this case) PHP cannot read the cookies - meaning the $_COOKIE is an empty array.
I'm aware of the webkit bug that using Set-Cookie and Location header in the same response breaks, but this is about reading not writing so it's supposed to be in the request headers.
I'm using the latest Chrome v26. On the backend I have PHP 5.3.10-1ubuntu3.6 on my home server, and the exact same on a production server (which i did not set up and it's not on default settings). On the production server I cannot read the cookies as I said before but on my home/dev server I can.
And it gets worse: On another server which runs PHP 5.3.3-7+squeeze14 I also can't read the cookies if the Content-Type header is not html, but text/plain.
I set the cookies the following way:
if (setcookie($name, $value, $expire, $path, null, isset($_SERVER['HTTPS']), $httponly))
{
$_COOKIE[$name] = $value;
return true;
}
return false;
$httponly is false
$path is '/'
the name consists of lowercase letters
the value consists of numbers and dashes
I can see the cookie in the Developer Tools / Resources tab and it works fine on simple html pages.
I appreciate any help.
Thanks.
the redirect page and the redirector page are at the same domain? Maybe this can being considered as a XSS attempt to stealing cookies. Try to send "Access-Control-Allow-Origin: *" header:
header("Access-Control-Allow-Origin: *" );
In my case, the problem was with session_set_cookie_params(), the parameter for the domain (the 3rd argument) was prefixed with a period ., such as ".localhost". When I removed the ., $_COOKIE variable was populated.
Recently a scan was run on one of our applications and it returned the following 1 security threats:
1.Cookies NotMarked As Secure::Cookie without Secure flag set
2.Cookie without HttpOnly flag set::Cookiewithout HttpOnly flag set
$this->cache_ptr = new CACHE($_COOKIE["sess"], 0, 0);
CACHE is an user built library that uses Sessions etc.
I am not sure about the right syntax to mark the cookie secure and set the cookie with HttpOnly flag. Also, this is a legacy application running in php 4.
Can someone please help me with this or point me to a resource?
EDIT:
I implemented Sven's recommendation. Is there a way I can test the secure functionality?
Also,Since I am using php4(which will have to be updated eventaully)
I cannot use httponly in the setcookie function.
So does that mean,I need to add the following line before setcookie function?
header("Set-Cookie: hidden=value; httpOnly");
will it intefere with my setcookie function?
use setcookie(). read about it here. Set the sixth parameter to true to make the cookie secure.
The code you are showing does not set the cookie. It might trigger setting a cookie, but essentially you must look at the CACHE class and see what's going on there.
You are looking for function calls of setcookie(), and if not found, for header('Set-Cookie...').
You'll have to change setcookie() to include all the default values for the optional parameters, until at the end you set the last two to true for secure and httponly.
Have a look at the manual: http://de1.php.net/setcookie
I only want the session cookie on www.website.tld and www.apps.website.tld, using ini_set if possible. Also i need to set all cookies i write to both subdomains only. I do not want www.imgs.website.tld to have the cookies. the php session one i'm kinda unsure of. The cookies i set my self my idea was to call SetBothCookie($name,$value,$time) a custom function.
function SetBothCookie($name,$value,$time)
{
setcookie($name, $value, $time, "", "www.website.tld", 1);
setcookie($name, $value, $time, "", "www.apps.website.tld", 1);
}
So i think i have the SetBothCookie part down, but wanted to see what others think of that code. The part i'm stuck on is having php set the session cookie on both sub domains. I'm using session_set_save_handler to override the default php session storage to store sessions in the database, so both servers can use the same session data. From my understanding is if i put Javascript that does http requests on the www.apps.website.tld to www.website.tld it won't allow them to happen, and i want that added security, so thats my reason of running only a part of the site on a subdomain.
This function should work but...
Using secure parameter in set_cookie() according to PHP manual
Indicates that the cookie should only
be transmitted over a secure HTTPS
connection from the client. When set
to TRUE, the cookie will only be set
if a secure connection exists. On the
server-side, it's on the programmer to
send this kind of cookie only on
secure connection (e.g. with respect
to $_SERVER["HTTPS"]).
So I suggest to remove 6th parameter of set_cookie() function.
Also, you can call this function before any output or it will throw a warning like
Warning: Cannot modify header
information - headers already sent by
(output started at ...) in ... on line XX
Using session_set_save_handler() is good solution to take control over session variables.
If you want cookies for entire domain just use "/" or ".website.tld" (with initial dot according to RFC 2109 standard) for domain parameter (5th in a row). Parameter path should be "" (empty string; 4th).
I'm setting a cookie like so:
setcookie ('myletter', "a", time()+60*60*24*1000, "/", ".me.com" );
Then I want to change the value so I do:
$_COOKIE['myletter'] = "b"
But the old values remains. I also tried using setcookie again, that failed too
setcookie ('myletter', "b", time()+60*60*24*1000, "/", ".me.com" );
Is there a reliable way I can actually change the value of an existing cookie?
Fire up a tool like Fiddler that lets you see the HTML traffic between your browser and your test web server. Then look for Set-Cookie: on the response from the PHP script that sets the cookie, and then look for Cookie: in the following request. The fastest way for you to get it working is to understand cookies in terms of HTTP requests, which is summed up, though not for PHP, here - the concept is the same.
I have problem in overwriting cookies value cross sub domains, a website running in ASP which is in www.domain.com and mobile site running in PHP with m.domain.com sharing same cookie
Cookie created in www.domain.com via asp as follow:
Response.Cookies("cookie_name")="value1"
Response.Cookies("cookie_name").Expires=DateAdd("m", 1, Date())
Response.Cookies("cookie_name").Domain = ".domain.com"
Response.Cookies("cookie_name").Path = "/"
Response.Cookies("cookie_name").Secure = false
When i tried to overwrite the value in PHP (m.domain.com) as follow:
setcookie("cookie_name",'value2',time()+60*60*24*30, "/", ".domain.com",false);
the execution return true but when i check the cookie the value wasnt change still "value1"
also had tried to set via header
header("Set-Cookie: cookie_name=value2; path=/; domain=.domain.com; expires=".gmstrftime("%A, %d-%b-%Y %H:%M:%S GMT",time()+60*60*24*30));
but still no efects, any ideas? big thanks.
Finally i made it work
header("Set-Cookie: cookie_name=value2; expires=".gmstrftime("%A, %d-%b-%Y %H:%M:%S GMT",time()+60*60*24*30)."; path=/; domain=domain.com");
Note the domain part (no dot), hope this helps others
PHP and JavaScript sometimes can't work together aswell so I recognise the problem.
I don't know how much you depend on Javascript, but you could use it to set the cookie values(echo-ing "document.cookie = "=;expires=;path="; ").
It's dirty but at least there will be one common divider to worry about; not two.....