I'm planning on creating a responsive PHP image, that retrieves just the username of the current logged in user on a small forum. It's just going to help people on the forums see who last viewed the topic.
Using a PHP image, you can gather lots of information, but I need to find out what user is logged in and viewing the page.
I can't access any of the sites cookies, so would like to grab the html source from the page that loaded the image - from a specific part, that would hold the logged in users username.
Is there any way to grab any of the source code from the page that loads the image? I can use file_get_open() on the HTTP_REFERER session variable, but that wouldn't have any of the cookies or session variables.
If the original page is PHP, in the same server and using the same session, then those are of the original page too. But it's not always the case.
Say you got redirected from another website (could check referrer) or from another engine, say the page you came from is within the same server, same domain, but a different engine like .NET then your session wouldn't be the same but the cookies might.
But then again, if like Cake, the Cookies are protected (or mangled) then you will be able to access them, but you won't be able to decipher its content.
Depending on the how the previous page setup the cookies you could even read them if they came from the same domain (i.e. a.domain.org/ble.html -> b.domain.org/image.php). But is not safe to Assume.
See:
http://php.net/manual/en/session.security.php
http://blog.teamtreehouse.com/how-to-create-totally-secure-cookies
Note: Sometimes, you can't even trust HTTP_REFERER and REMOTE_ADDR. They can be spoofed easily.
If you check the manual, you will see that
$_SERVER['HTTP_COOKIE']. It contains the raw value of the 'Cookie' header sent by the user agent
and for $_COOKIE
The value of $_COOKIE is determined by the content of cookies received in the user agent's request.
You can see $_SESSION for the session variable
Related
I have a page to register users information for request submitting.I want to save the user's information entered by user in each window individually and in a dedicated session for each browser window.
I searched Google and stackoverflow but did not get a good result.
How should I generate unique session for every browser window by PHP?If set session with manual sessid is more secure?
Since sessions (session cookies) are shared among all instances of the same browser, they won't help you. You will need to create unique URLs, so each window/tab can visit a truly different page. E.g.:
http://example.com/foo.php?id=abcdef123456789
Whether you treat this as unique page identifiers or as transporting the session id in the URL is up to you and what exactly you need this for.
Beware that an id transported this way is easily shared, possibly accidentally. It shows up in the browser history and can easily be copied and pasted elsewhere.
In my login code on my website, if the password & username are correct, I set a cookie to keep the user logged in.
I just heard from a user that he doesn't accept cookies automatically through his browser, and that that prevents him from logging in. That rhe cookie is not set.
Is there an easy way to counter that?
Tell me if you need the code I use.
It is possible to get this to work but often a real pain if you're using complex javascript/ajax.
In short, instead of storing the session id in a cookie, you embed it at the end of every link.
so
http://example.com/somepage.php
becomes
http://example.com/somepage.php?SessionId=ABC123
Unfortunately, while PHP can do this for you in some cases, it doesn't help with links you build yourself in javascript - and it only takes clicking a single link without the id to effectively log the user out
See this page for more information
As mentioned by Quentin in the comments, if you're not using a cookie to identify the browser which created the session, it's possible that sharing a link would share the session. This could be mitigated but not prevented by checking IP address/user agent but this would likely fail in large corporate environments with NAT and standard browsers
I need to be able to detect if a used already visited a particular page.
I can set a cookies at their initial visit. I can also store some environment, such as IP, browser, OS, perhaps even language and create some string, like MD5 to compare against current visitor's environment.
Is there another method I should consider?
I work with PHP.
This isn't well defined enough for me to understand why just using cookies wouldn't satisfy this problem. A cookie has a domain and path that you can set on the server for each page they visit. As they visit each page you can look at those two settings to figure out if they have the cookie set on their browser or not and hence they have visited the page. You really don't have to get anymore sophisticated than that if all you want to know is did they visit the page before now.
I am just starting to learn about web development and something has been niggling me for a while now, How a website controls what you can access and cannot access.
For example, a website like Facebook. When i first go to the site, it presents a login form, once i am logged the same page that i tried to access before now shows information relevant to me that i could only access once logged in, i can navigate to a different site and then comeback to google and it still allows me to use if without logging on again.
How exactly would a site block someone trying to access a particular page when they are not logged in, lets say the page viewProfile.php. How does the website know who to allow access to this page?
I realise this question may seem confusing and elementary but its just a something that came to me whilst viewing facebook.
Thanks.
This is a very simple concept called sessions.
When you visit facebook, it reads unique information sent to it via the connection such as IP address, browser, and some other minor information, when this information is combined it creates a unique identifier.
this unique identifier is then stored in a file like so:
d131dd02c5e6eec4693d9a0698aff95c.session
So when you login with your credentials there application add's information into this file such as last activity etc.
When you go away and come back, facebook will then read the information that's sent with every requests, it then add's it all together and creates a unique hash, if this hash exists within it's storage system it will open it up and read the contents, and know exactly who you are.
all this is combined with cookies, the unique hash is sent back to the browser and stored in your cookies folder, this cookie file is sent back to facebook with every request.
PHP Handles this for you internally so it's pretty basic to get it up and running: http://php.net/manual/en/features.sessions.php
Here's an example that may help you understand the concept a little more.
<?php
/*
* The session_start generates that hash and send a cookie to the browser
* This has to be first as you can only send cookie information before any content
*/
session_start();
/*
* Anything storeg within $_SESSION is what's been read from the session file and
* We check to see if the information has already been set on the first time the user
* visited the site
*/
if(!isset($_SESSION['hits']))
{
$_SESSION['hits'] = 0;
}
/*
* Now we increment the value every time the page is laoded
*/
$_SESSION['hits']++;
/*
* now we display the amount's of hits the user has loaded the page.
*/
echo 'You have vistited this site <strong>' . $_SESSION['hits'] . '</strong> times.';
?>
if you load this page and then hit F5, the session value get's incremented every request so you should see something like:
You have vistited this site 1 times.
You have vistited this site 2 times.
You have vistited this site 3 times.
You have vistited this site 4 times.
...
The session file is unique to each person visiting, thus meaning that when using the session variable in PHP it would be to that user only, so everyone get's there own individual session.
as your researching it's goods to search StackOverflow for certain tags, such as PHP and sessions.
https://stackoverflow.com/questions/tagged/php+session
Here's a good question in regards to cookies and sessions advantages etc.
Purpose Of PHP Sessions and Cookies and Their Differences
A website uses something called a "cookie" to store information on your computer.
This information can hold any text string, but in this case it is probably a unique ID that Facebook knows (probably stored in a database somewhere) is tied to a certain user. Cookies can only be read by the website that sent them and by the browser itself.
The login page sends a POST/GET request to a script that generally checks the username/password combo against data in a database a database. If the data is found to be valid, then the user is granted access to the websites landing page (the page after login) and a cookie is stored. If it is not, they are sent back with a error message.
Cookies can also have a "lifespan". This lifespan can be anything: for a certain amount of seconds; until you leave the site; until you close your browser; or forever (there are probably more.)
The website that sent a cookie can also delete a cookie before it expires. This is how most "logout" buttons work.
To allow only logged in users to view content you can first check for a sign that they are logged in, such as look for an active session and that it has a flag which tells you they're logged in ( which you control ). In PHP at the top of a page you can simply:
<?php session_start();
if(!isset($_SESSION['loggedin'])){
header('Location: http://example.com/login.php');
}
?>
which will redirect non logged in users to a login page. Upon success login, you should set $_SESSION['loggedin'] to a value.
To check whether a person who is logged in is allowed view a particular profile is down to looking up where the page is restricted to friends only, and if so, checking that the loggedin user's id is in the profile owner's friend field in the DB.
It is done with cookies. When you log in, the site puts a cookie into your browser for a set amount of time (generally a very long time so that you can stayed logged in). When you access the site again, your browser sends the cookie back to the site (and the site sets a fresh cookie). In any browser, you can find the list of cookies somewhere in the options.
If you want to know more about cookies, you can read the wikipedia: http://en.wikipedia.org/wiki/HTTP_cookie
Do a Google search for "Session Management."
Summary
when you login to a site you get a unique id. That id pulls your data from the database and then populates a dynamic page, like viewProfile.php with your data. So each user pulls the same file, viewProfile.php, but gets different results based on their unique id.
I do a lot of php and javascript, but I think this is relatively language-agnostic question. Are there any best-practices for when to use each of:
URL variables
SESSION variables
cookies
I understand the inherent limitations of what some of them can't do, but it seems like their use can overlap sometimes, too, and those instances are what I'm really asking about.
EDIT
Just to clarify: I'm pretty familiar with the technicalities of which method is stored where, and which the client/server can access. What I am looking for is something a little higher-level, like "temporary user settings should live in cookies, data state info should live on the server, etc..."
Thanks!
In general:
Use URL (GET) parameters for sending simple request parameters to the server, eg. a search query or the page number in a product listing.
Use session variables, as the name indicates, to store temporary data associated with a specific user session, eg. a logged-in user's ID or a non-persistent shopping cart.
Avoid using cookies when possible. Use them sparingly to store settings that are tied to a particular computer / user profile, eg. a setting such as "remember my user ID on this computer".
Sessions are stored on the server, which means clients do not have access to the information you store about them. Session data, being stored on your server, does not need to be transmitted in full with each page; clients just need to send an ID and the data is loaded from the server.
On the other hand, Cookies are stored on the client. They can be made durable for a long time and would allow you to work more smoothly when you have a cluster of web servers. However unlike Sessions, data stored in Cookies is transmitted in full with each page request. You should use cookie if you need longer logged-in sessions.
URL variables (GET) are open and can be seen by user. They are also useful as it allows the user to bookmark the page and share the link.
PHP embeds the session id directly into URLs when cookies are disabled. Then, the session id becomes a value accessible thru an HTTP GET variable.