I have the following PHP function:
function validateUser($username){
session_regenerate_id ();
$_SESSION['valid'] = 1;
$_SESSION['username'] = $username;
setcookie('username2',$username,time()+60*60*24*365);
header("Location: ../new.php");
}
And then I fetch the cookie:
echo $_COOKIE['username2']; exit();
(I only put exit() for debugging purposes)
Only problem, it's coming out blank. Any ideas?
UPDATE:
This is how the function is called:
if(mysql_num_rows($queryreg) != 0){
$row = mysql_fetch_array($queryreg,MYSQL_ASSOC);
$hash = hash('sha256', $row['salt'] . hash('sha256', $password));
if($hash == $row['password']) {
if($row['confirm'] == 1){
if(isset($remember)){
setcookie('username',$username,time()+60*60*24*365);
setcookie('password',$password,time()+60*60*24*365);
} else {
setcookie('username','',time()-3600);
setcookie('password','',time()-3600);
}
validateUser($username);
I didn't include all the if() statements to save some space.
try adding the path = /, so that the cookie works for the whole site not just the current directory (that has caught me out before)
example
setcookie('password',$password,time()+60*60*24*365, '/');
also make sure the cookie is the first thing being output
as advised in the php manual (this has caught me out before too)
Like other headers, cookies must be sent before any output from your
script (this is a protocol restriction).
Why you are having this problem
The problem comes from the fact that setcookie() doesn't set the cookies immediately, it sends the headers so the browser sets the cookies. This means that, for the current page load, setcookie() will no generate any $_COOKIE.
When the browser later on requests a page, it sends the cookies in the headers so the PHP can retrieve them in the form of $_COOKIE.
Simple, old solution
About solutions, the obvious one:
setcookie('username',$username,time()+60*60*24*365);
// 'Force' the cookie to exists
$_COOKIE['username'] = $username;
A better solution
I created a class, Cookie, that addresses the problems that setcookie() and $_COOKIE share:
// Class that abstracts both the $_COOKIE and setcookie()
class Cookie
{
// The array that stores the cookie
protected $data = array();
// Expiration time from now
protected $expire;
// Domain for the website
protected $domain;
// Default expiration is 28 days (28 * 3600 * 24 = 2419200).
// Parameters:
// $cookie: $_COOKIE variable
// $expire: expiration time for the cookie in seconds
// $domain: domain for the application `example.com`, `test.com`
public function __construct($cookie, $expire = 2419200, $domain = null)
{
// Set up the data of this cookie
$this->data = $cookie;
$this->expire = $expire;
if ($domain)
$this->domain = $domain;
else
{
$this->domain =
isset($_SERVER['HTTP_X_FORWARDED_HOST']) ?
$_SERVER['HTTP_X_FORWARDED_HOST'] :
isset($_SERVER['HTTP_HOST']) ?
$_SERVER['HTTP_HOST'] :
$_SERVER['SERVER_NAME'];
}
}
public function __get($name)
{
return (isset($this->data[$name])) ?
$this->data[$name] :
"";
}
public function __set($name, $value = null)
{
// Check whether the headers are already sent or not
if (headers_sent())
throw new Exception("Can't change cookie " . $name . " after sending headers.");
// Delete the cookie
if (!$value)
{
setcookie($name, null, time() - 10, '/', '.' . $this->domain, false, true);
unset($this->data[$name]);
unset($_COOKIE[$name]);
}
else
{
// Set the actual cookie
setcookie($name, $value, time() + $this->expire, '/', $this->domain, false, true);
$this->data[$name] = $value;
$_COOKIE[$name] = $value;
}
}
}
Then you can use it like this:
$Cookie = new Cookie($_COOKIE);
$User = $Cookie->user;
$LastVisit = $Cookie->last;
$Cookie->last = time();
And of course, you have to pass it around. Much better than having globals.
Here is the general syntax of setcookie
setcookie(name,value,expire,path,domain,secure);
Look at third argument, if you do not set it the script will take it to current working directory. So if you set a cookie without setting path at a.com/b/setcookie.php the cookie will not be available to a.com/checkcookie.php. What you are doing is setting cookie in a subfolder and the redirecting to a parent folder, look at ../, where it is not available hence the issue. How to avoid this? Normal procedure is to supply a path that is /, in your case supply / as fourth param. The fifth argument for your cookie will set it secure. http://www.php.net/setcookie has more explanation. This should fix your problem. Setting domain path to domain.com, will make the cookie available to everything under domain.com but not to something.domain.com. Set domain value to .domain.com, look at the dot preceding domain.com, will make it available across anything.domain.com. HTH!
Thought I would add another possible reason why a cookie may not be either setting or showing random functional behavior.
The following case may be applicable to some programmers having what appears to be an illusive cookie setting issue as a result of the incorrect usage of header_remove()
If you try to set a cookie before calling header_remove(), the cookie will never be created because you have also immediately destroyed the header that was set in order to create the cookie before it was buffered out to the client.
You may find when fiddling around that your cookie suddenly works for an unknown reason, so you need to understand the race-conditions around headers:
On first run you set a cookie and don't call header_remove() at all.
On a second run you do call header_remove()
You will find your cookie is now always set regardless of condition (2) and the number of times it is called because (1) happened first at least once.
The cookie will remain set until it either expires, is overwritten or unset()
The same will apply when modifying headers like a cookie value before the eventual call of header_remove(), you again will fail to set new values because they will be wiped before the response is buffered out to the user.
You need to set cookies and any other headers for that matter after a header_remove() not before.
Use header_remove() to cleanup ALL previously set headers in order to set new headers for a final output.
An example of scenario for such a case may be as follows:
Use header_remove() to alter a hierarchy of HTTP Response codes for a RESTFUL API where you are using axios with interceptors.
Your application sets a 400+ header error first, should the application error out at any point of execution.
Modify the header to a 200 when final desired execution point has been reached & a valid response is expected.
In such an event, it is likely you want to preserve all other previously set headers but clear out the HTTP Status (400?) code in order to set a new (200?) code for the final response.
If you try to set the header again in order to change the status code before removing the previously set header then you will get the "Headers already sent" error.
You can remove specific headers with header_remove, here is how to unset the status code and set a new code in stages:
// Set a default status code
http_response_code(500);
// Boot Logic runs - if fails here 500 is returned
// Authentication Logic - If unauthorized ?
header_remove('HTTP/1.0'); // Clear previous 500
http_response_code(401); // Set new status code
// else ?
// Return Data Logic - Success
header_remove('HTTP/1.0'); // Clear previous 500
http_response_code(200) // Set new status code
This requires that you place calls to this function prior to any output, including and tags as well as any whitespace.
this is how the structure looks
<?php
$cookie_name = "user";
$cookie_value = "Ahmed Moftah";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
?>
<?php
if(!isset($_COOKIE[$cookie_name])) {
echo "Cookie named '" . $cookie_name . "' is not set!";
} else {
echo "Cookie '" . $cookie_name . "' is set!<br>";
echo "Value is: " . $_COOKIE[$cookie_name];
}
?>
<html>
<body>
</body>
</html>
It might be a cache problem. Try closing the browser and opening a new one with the localhost file path. I had the same issue and my page was cached so the cookies weren't working, even though I could put in new code and see a change on the page. Very weird... Cleaning your cache might help, try that first. Then try a new browser, then try to go to your localhost:8080 index and hit refresh to see when the last page was modified.
If that doesn't fix it, try restarting LAAMP or XAAMP or whatever you are using.
This happens with the session cookies are disabled.
You can navigate to your php.ini file(changes depending on server. Ubuntu 20.04's default is /etc/php/{X.x}/{apache2|[others]}/php.ini) and ensure that session.use_cookies=1
Restart your server and then try to set the cookie. They should immediately be available.
You probably have sent header hereby making it impossible to set header for cookie.
It might be a simple solution of ob_start() at the start of your page.
[Solution tested in XAMPP for PHP 8.0.19]
I modified the file php.ini and set session.auto_start=1. Keep in mind that i'm calling session_set_cookie_params([param => value]) just before session_start() every time this functions appears in my code, in every file.
session.auto_star: Initialize session on request startup.
http://php.net/session.auto-start
Still studying and analysing the reason and functionality of this, it was kind of a serendipity.
Probably not the most secure solution.
You can't get the $_COOKIE on the same request but you can get $_SESSION on the same request.
So the idea is
Set the $username in both the session & cookie.
Get the username from the session for the first time (if the same request)
Unset session
Always get the cookie from $_COOKIE from next request.
// Set Cookie
setcookie('username',$username,time()+60*60*24*365);
$_SESSION['username'] = $username;
//GET Cookies
if(!$_COOKIE['username']){
$username = $_SESSION['username'];
unset($_SESSION['username']);
}else{
$username = $_COOKIE['username'];
}
I am new to php. I am facing problem with sessions. I mean, after I get logged in and I click on any link in the website , its immediately getting logged out. Not sure why.
In chrome console: I entered as : document.cookie , it showing me "", then I got to understand that cookie is somehow getting deleted immediately or some other issue.
This problem exists for below 2 websites.
We have a websites like :
www.mysite.site1.com/folder1
www.mysite.site2.com/folder2
Below is my code of MySite.com/folder1
function MySession() {
$params = session_get_cookie_params();
session_set_cookie_params($params['lifetime'], '/v/folder1');
session_start();
}
function clear()
{
$_SESSION=array();
session_destroy();
}
Below is my code of MySite.com/folder2
function MySession() {
$params = session_get_cookie_params();
session_set_cookie_params($params['lifetime'], '/v/folder2');
session_start();
}
function clear()
{
$_SESSION=array();
session_destroy();
}
Setting the domain for cookies in session_set_cookie_params() only affects the domain used for the session cookie .
So to make all your cookies be available across all sub-domains of your site you need to set your cookies on root domain.
when setting the path that the cookie is valid for, always remember to have that trailing '/'.
CORRECT:
session_set_cookie_params (0, '/yourpath/');
INCORRECT:
session_set_cookie_params (0, '/yourpath');
mysite.site1.com is your base url.
when you switched from www.mysite.site1.com/folder1
to
www.mysite.site2.com/folder2
you'll surely be logged out.
Well, I am able to find out answer for my query:
since in my case I have 2 folders ie., www.mysite.com/folder1 && www.mysite.com/folder2 , then we MUST keep session_name('folder1') for 'folder1' and session_name('folder2') for 'folder2' , otherwise both folders share the same session ID and so user gets logged in automatically in folder2 (assuming if he already got loggedin folder1)
function Session() {
session_name('FOLDER_SID');
session_start();
}
Regarding more info about session_name, here: http://stackoverflow.com/a/7551430/4956785
I can't figure out why I can't remove a cookie or it's value:
I have simple log in script, when user enters correct login details, this is
setcookie('logged', $admin['username'], time()+60*60*24*365);
Also, session_start() is present on all pages.
When I want to log off a user, the following happens:
if($page=='logoff') {
setcookie('logged', "", time() - 3600);
unset($_COOKIE['logged']); // tried also this
session_destroy();
$_SESSION=null;
header("Location: index.php"); // if this is removed, the code below acts like there's no $_COOKIE['logged'] or it's empty (until refresh)
}
Once it gets redirected to index.php the $_COOKIE['logged'] is back with the old value, like something would set it again (nothing does for sure, I even removed the one and only login cookie set line)
I couldn't find a solution in similar questions. Tested in chrome and IE.
You can't "unset" a cookie. "Expire" it by setting it to a value in the past:
<?php
// set the expiration date to one hour ago
setcookie("logged", "", time() - 3600);
?>
http://www.w3schools.com/php/php_cookies.asp
I have a problem with the cookies.
I have created a simple cookie and tried to echo it on my server.
setcookie('user', 'John', time() + 4800);
echo $_COOKIE['user'];
I also checked the value using the function var_dump() and the result is NULL.
I do not understand why :-(
Note that you cannot set a cookie in PHP and hope to retrieve the cookie immediately in that same script session. It will be available on the next request.
This doesn't mean that the cookie has not been sent, it just means you can't test it in the same script run.
Of course, before that, make sure that your cookies are turned on.
if(!isset($_COOKIE['user'])) {
setcookie('user', 'John', time() + 4800, '/');
// set the cookie with the fourth parameter with root
// so that its sitewide
} else {
echo $_COOKIE['user'];
}
So I have this code on my index.php:
<?php if(isset($_POST['cookie'])) { setcookie("RememberMe", "Yes", time()+1209600); } ?>
If the user has checked the remember me box then it will set a cookie with the name RememberMe for 2 weeks. This part works fine.
Now the issue I'm having is deleting this cookie when they press logout.
On pressing logout, they get redirected to logout.php which has the following code:
<?php include_once('config.php');
include_once('functions.php');
unset($_COOKIE['RememberMe']);
setcookie("RememberMe", "", time()-3600);
$_SESSION = array(); session_destroy();
?>
<meta http-equiv="refresh" content="0;../index.php">
but for some strange reason that won't delete the cookie? Any ideas as to why?
You may want to check if the path the cookie is set at is correct. By default PHP sets the cookie path to the directory it's set in and it will not be available (nor possible to delete) from different locations.
Few more tips:
there is no need to unset $_COOKIE and $_SESSION
instead of redirecting using a meta tag redirect with HTTP headers:
header('Location: /index.php'); // or whatever is the path you want to redirect to
Not the cleanest but
Check the time zone is correct
Ensure you are nuking the correct cookie( case sensitive )
Failing all of they over writing the cookie will nuke it anyway
So...
Setcookie('mycookie') // nukes the cookie with a blank entry
Cookie cancelations can sometimes require the same time value as they were set.
setcookie("RememberMe", "", time()-1209600);
remove this line
unset($_COOKIE['RememberMe']);