I have started to learn PHP a couple of weeks ago, and now I would like to create (even a simpler version would be acceptable for me) a website such as:
www.cookiebot.com/en/start
cookie-checker.com
So I would like to create a form where the user can type the domain from which she/he would like to know which cookies are sent/used in that website.
Whether are third party cookies or not, and so on.
On the Internet I have found several different answers to this question, some people told me is not possible to get such cookies, others told me is possible but they have not been able to explain me, and so on.
So my question is: can somebody explain me theoretically how a website like that one works?
Does PHP have a function to get cookies or cookies information from the website and let the developer read the cookies at least to know what kind of cookie it is?
Or maybe is there any way to read the cookies stored on my computer when I visit a website?
Thank you very much!
No.
The browser explicitly saves cookies on a per-domain and even per-directory basis. When the server sets a cookie, it can specify within limitations whether a cookie is valid for subdomains or not and what path it should be valid for. However, cookies cannot be set cross-domain or read cross-domain. The browser will not send cookies back to other servers, and client-side Javascript has no access to cookies from other domains either.
In short, you cannot have a website which has access to cookies set by some other website. And that is a good thing. Otherwise security would be non existent on the web.
Related
Is it possible to read the cookies that are sent by a third-party homepage using php?
In concrete, i want to find out if a page using GTM does also set .ga cookies.
I was thinking of a "virtual browser" solution on the server, is that possible / is anybody experienced with that?
Thanks!
No, because PHP runs on the server and gets only the cookies of that domain
Cookies are stored on the client (browser). PHP is executed on the other side. The cookies are stored in the browser and the browser sends the cookie values along with the HTTP request to the server.
Therefore, the PHP process only gets to see the cookies of that domain.
And if you think of it, everything else would be a security flaw because every site could read for example secrets of sessions that are open on another site!
Im familiar with reading cookies using php, but i was wandering if there is a way you can read a users browser cookies set by another 3rd party site (ie. not your own.)
Could somthing like this be written to view all of the users set cookies ?
print_r($_COOKIE);
No, it's impossible.
You can only read cookies that come from your own domain. The other cookies are not even sent to your server.
If you could read every cookies the user has, you would be able to obtain personal information such as their facebook password, connection to their bank etc.
It would be a serious breach of privacy, and as such, browsers do not send cookies except those from the same domain.
No
When you visit a website, your web browser requests information from that domain (somedomain.com), and that third-party domain is allowed to set a cookie. Each domain can only read the cookie it created, so there is no way anotherdomain.com could access the cookie created by somedomain.com.
To read a cookie you must match the domain that the cookie was originally created under. Browsers consider this a security principle and will not let a site access any cookies that they did not create.
Note that there are several other security considerations that could potentially circumvent this rule, such as DNSMasq in combination with spoofed browser certificates. This is why DNSSec (and SOPA) were such a hot issue; the security hole DNSSec plugs will also protect your cookies from getting stolen from your cookie jar.
There are real-world examples of security holes that have leaked in the past. See here for an example of an even different security vulnerability from 2008.
No, this is not possible, because browser only sends the cookie that set by your domain, usually, it's attached to header of the HTTP request if previously being set by the domain.
Third party cookie are those cookie that set by another domain in the context of the target domain, for example: while opening example.com it might has a banner from another website (example2.com), at this case, if example2.com set cookie it can't be read by example.com because they are from different Origin that Browser prevent even scripts to access it.
No, of course not. Otherwise your website would know my bank's login cookie, and you'd be able to steal all my money. Cookies are only available to the domain that set them.
We have about 100 users accessing our website daily. A majority of them have no issues logging in. However, once a month we get a call or email ticket with complaints that users just see the login page refresh, with no error messages or anything.
All error messages are sent through the PHP Session cookie, and of course everything after logging in is based off of that session. The only reason I could think that the page just refreshes HAS to be because they are blocking that session cookie on their local machine...
Now most often the user is on internet explorer, but occationally it even happens with Chrome or Firefox. I've even had a user (on OSX) who tried Safari, Chrome, FF - and it would NEVER let them log in, the page would just basically refresh. I had the user add the website as trusted, and still no luck.
It's the worst because I cannot reproduce it from any network or from any browser/computer, ever.
Does anyone know what could be causing something like this? The site IS forcing SSL (the HTACCESS file redirects to HTTPS). The site IS forcing the session cookie as HTTP-Only and the Secure flag is also set to TRUE (and these 2 are somewhat recent changes).
I'm unsure what other settings on the server or the PHP instance would be causing something like this, or if it's soley a client-side issue (which it appears to be). And if it's client side, I'd like to learn the issue and possible solutions to it.
To preempt everyone, no - I cannot share the website URL for debugging because the client would not appreciate that, unfortunately. Thanks for any help, I'll be happy to answer any question that I can!
Do you have more than one web server behind a load balancer? And are the PHP sessions stored locally on each web server? If so it is the load balancer's job to make sure a user keeps going back to the same server on repeated accesses. If something goes wrong, they could get sent to a server where they do not have a session. It could be some intermittent glitch sending users to the wrong server.
Just guessing, because as others noted, we don't really have enough info.
Does your session cookie have a valid name? I've run into this problem in the past where some browsers don't accept a session cookie if it has an invalid name, but other browsers do accept them;
http://php.net/manual/en/function.session-name.php
If I have an Application that requires the user to log in. If I log in at home on one network then go some where else, like the library down the street and switch networks will the session continue?
In my question this is about Flash SWF embedded in an HTML page requesting a PHP page for login.
Also, it would be helpful to know how this behavior is the same with HTML requests. I mean if Flash uses the browser to send requests then the result is the same for SWFs applications and HTML applications correct?
Most web requests with Flash are made via the browser and so follow the same rules in terms of what cookies are sent, etc. (the exception is the old file uploader, for which you had to hardcode it into the URL).
If your session are created via the standard PHP session module and you have enabled cookies (i.e. session.use_cookies ini setting), the browser will keep sending the session cookie until you close it.
If you have implemented IP address checks (which you shouldn't, but that's a personal thing), it might be possible for a session to get invalidated based on IP changes which are very likely to happen when you switch networks.
I think the question as it's asked is overly simplifying things.
The only sort of "session" that the browser is aware of is the concept of a session cookie. This is a snippet of information stored against a domain which will expire when you close the browser.
PHP sessions are implemented on top of session cookies, so until you close the browser you are in the same session, even if your IP address changes.
I don't know if Flash has its own concept of sessions at all. If not then whether your session expires depends on exactly how the flash application is coded.
I hope this clarifies things.
I have a php application that pulls in pages from a separate domain via iframes. These pages are using cookies.
I've noticed some browsers have a default set that blocks any external cookies. This is going to cause quite a problem for me.
I've heard mention of P3P but can't find much mention about how to implement it with cookies.
Any help most appreciated,
Jonesy
It would be extremely bad if you could access an external site's cookies just by embedding it in an iframe. Just imagine if you were able to access facebook.com's session cookie just by embedding it.
Just to clarify what Maerlyn is saying - what you're describing is impossible. The website can only access cookies from its own domain. When you go to facebook.com, your facebook cookies are sent to that domain. When you go to google, your facebook cookies are NOT sent there. There is no way for Google to look at your Facebook cookies. Even it uses iframes. Period. This is a security feature.
So, I suggest you look at other ways to design your software system. For example, if the website you're embedding has an API, I'd use that. Or do a back-end service synchronization to pull in user information. In any case, you need the consent of the other service / other domain to do this.