This might be a silly question but I am learning web development and reached at cookies now. I read about cookies and got the basic understanding of cookies and how to create them and retrieve them. what I do not understand is:
Do we need to create a cookie for each webpage for example in my website i have 5 pages so should i place the cookie only in index page and set the path "/" and it will work for all the pages.
To store the information retrieved via cookie for further analysis should I create a database to store each cookie data.
Do we need to create a cookie for each webpage for example in my
website i have 5 pages so should i place the cookie only in index page
and set the path "/" and it will work for all the pages.
No need to create multiple cookies. You can access same cookie across your webpages, if setting it at root.
To store the information retrieved via cookie for further analysis
should I create a database to store each cookie data.
Why ? It will be stored in user's machine. And why do you want to store it in database. All the user's information will be available in your same database.
The path variable on a cookie simply marks access.
You're assumption about only setting the / is correct if you want that cookie visible throughout all your pages.
If you want to restrict access to that cookie say to an admin page then setting the path to /admin would be fine here.
Related
Okay, on my website, I have a lot of embedded pages for Twitch. Below all the embeds, I also have an authorization flow so that people can log into Twitch and click a follow button.
Normally, the flow would start at: mydomain.com/channel/name, and at the end of the flow, they would be returned to mydomain.com/auth. Originally, I had it so that the start URL would be stored in browser session storage using javascript; and then when they reach the final auth endpoint, I would use the javascript and pull the session storage and relocate them back to the original URL.
This has been working great... however, one of the features I have on my website is the ability to use custom canonical urls to proxy to their channel on my website. So someone could use theirdomain.com to proxy to mydomain.com/channel/them.
This created an issue with the session storage since session storage follows cross-domain restrictions. They would start at theirdomain.com and end at mydomain.com/auth. Since the domains don't match, I can't access the session storage to forward them back to the original URL.
I am using PHP, so I'm wondering what would be the best way to get around this. I figure instead of storing the start URL in session storage, I can save it using AJAX to temporary storage using PHP, linked to their IP addresses. However, I don't know how to do this.
Does PHP have some sort of temporary storage system with definable TTL? That also works across multiple domains? (it would be the same server)
If the request is proxied to the same application then the session is accessible, it's just the session identifier (which is stored in a cookie, hence the cross domain issue) which is causing the problem.
What you can do is pass the session identifier from one domain over the transition to the other domain, as part of a get request, so when you do the leap from theirdomain.comto example.com do it with a link formatted as http://example.com/blah/?session_id=[session_id_from cookie] (ideally using https).
Then on on example.com grab the session_id and use that to set the session_id in the cookie for that domain, and it will load the session from the source domain.
This can be used for session hijacking, but so can having your session_id in a cookie, so it's generally OK to do, though using https endpoints will improve security.
I have a two diff. project on my XAMPP say it is Project1 and Project2.
When i login with Project1, i check authentication and if it is successful then stored session. The session name is $_SESSION['username'].
The above process is same with Project2.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1, i am also access Project2(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login?
If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to #Let me see's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
So suppose the server is sharing then what should I do to prevent it?
To answer your follow up question. You can simply name your session on a specific website using session_name() before your session_start().
session_name('PROJECT1');
session_start();
this one-liner should do it.
Normally the sessionID of the sessions is stored in a cookie and it is related to the hostname and it can be shared by the multiple hostnames having the same domain. and as it is obvious that sessions are stored on the server . So there is a possibility that if two sites are running on the same server then they may share the data..Therefore you should always change the path for storing the sessions on the server for every different website
PHP Sessions are stored in Server. So there won't be any clash between same session names when you go live. Remember, You still have option to store your session in database, which helps you with more secutiry.
Nothing will happen. Because the other Site uses its own database (with own session and user tables). It would only matter if two Sites share the same Database, same tables and same session handling.
User cannot access without log in because of following reasons,
The session data is stored on the server. If two applications are running on the same server and the same domain name, then the possibility is there for them to share session data. Otherwise no conflicts with session values, if the domains are different.
I think if we use a security algorithm like MD5 to encrypt the session which you'll using to login. That will work without problem. For example:
$name_session='username';
$name_session=md5(md5(md5($name_session));
$_SESSION[$name_session]="username_logged";
I have a question. Let's say I am on website domain1.com and I click on a link on domain1.com that brings me to domain2.com. But I want to use the same session_id() that was set with session_start() in domain1.com on domain2.com. How do I accomplish this in PHP?
Thank you.
As the session_id() itself doen't contain any data, there are a couple of things to consider:
If the session is set in a cookie, you can't transfer it (unless to a subdomain), make sure you transfer it via GET
In order to have the data associated with the SESSION sync accross the servers, you have to share the file system (e.g. via GlusterFS), at least for the path the SESSIONS are saved (e.g. /tmp/php)
if you save objects in the SESSION make sure they are available on both servers
If both domains are pointing to the same document root on the same server you only need to take care about the first point
If you only want to use the session_id() and not the associated data, you can just set the id: session_id('yourSessionIdFromDomain1')
Maybe you can use a MySql Database which you can access from both Sites...
Like:
Table _sessions -> Fields('access_token','session_vars')
in session_vars you can save $_SESSION each time a site loads.
access_token should be a unique string who is generated when the user comes to the Website first.
This is very dangerous!! 11 :-)
So I know browsers limit the cookie number to something like 200 ...or whatever (the idea is that there is a limit).
I need to mark a site's page as viewed by the current visitor, so I'm setting a cookie viewed=true.
How can I set a cookie only for a certain page? I know it's possible, I've seen sites doing this...
Let's say I have 10.000 pages and a visitors views them all. Would browsers complain if there are like 10.000 cookies set on his computer for each of these pages? Is there a cookie limit for the entire site too (all pages together) ?
better explanation of what I want:
Cookies can be set as global (for the entire site, visible on all pages), or local (for a certain page only).
How can I set a local cookie? For example a cookie that's only accessible from site.com/?page=blablawhatever
Does the cookie number browser limit take in consideration all local cookies too, or just the cookies for the current site page?
I think the ideal way would be to set a user ID cookie and, like the others said, store any information tied to that user in your database.
You can set a session cookie and store the viewed pages on the server.
Instead of using cookies (which is on the user's end).
When a user goes to one of your pages, save to the data base that he/she went there.
Before the database save check of the user was already there before, and if that is true then don't save it to the database.
I mean you can login both https://mail.google.com/ and https://mail.google.com/a/company.com at the same time.
The projects I've attended so far haven't involved such kind of logic,how can these two url under the same domain use different $_SESSION?
I think there is not inbuilt session management feature in PHP.
You can use variable specific management in session.
for eg.
one login from https://mail.google.com/ then store all it's session data in $_SESSION['gmail'][X] , $_SESSION['gmail'][Y],$_SESSION['gmail'][Z]
and then in when another user login from https://mail.google.cpm/a/company.com then store all it's session data in $_SESSION['company'][X],$_SESSION['company'][Y],$_SESSION['company'][Z]
so by this, you can separate those two sessions from each other.
Those two URLs share the same domain. Only the subfolders are different. Usually with PHP, the cookie which saves the session id is valid for the whole domain and not only a specific subfolder. So there should be no problem using the session data with the same domain.
Maulik Vora's answer will work, but another way to do it is to configure PHP to used URL-based session ID passing. That way every tab or window has a separate session. See this page for information on how to do it, and why you may or may not want to. Here's the docs for it.