My Codeigniter's sessions used the default value
$config['cookie_domain'] = "";
But now I need to be able to use CodeIgniter's sessions from domain.com on
subdomain1.domain.com
subdomain2.domain.com
So I saw in the codeigniter manual that you can set
$config['cookie_domain'] = ".domain.com";
And the extra dot will make all the ci_sessions shared by the domain and subdomains. This works perfect!
However, it is impossible to log back in the system after changing cookie_domain from "" to ".domain.com" unless I manually delete the cookie ci_session in the chrome settings.
I can't ask all the users to delete their cookies so I need to find a way. I tried all of this:
delete_cookie('ci_session');
setcookie('ci_session', '', time()-3600);
$this->session->sess_destroy();
unset($this->session->userdata);
$this->session->unset_userdata( <array with all the session keys> )
foreach ($_COOKIE as $key=>$cookie)
setcookie($key, '', time() - 9999999);
Some useful info maybe, sess_expiration is set to 2 weeks, this is why I tried a huge number in the setcookie function:
$config['sess_expiration'] = 1209600; // 2 weeks
Also, after all these commands to make the cookie expired. Chrome still says that the ci_session cookie expires in 2 weeks. It's as if it was completely oblivious to the function setcookie
Change your current $config[sess_cookie_name] from ci_session - to something else like new_cookie
Then the browser will look for the new_cookie name, which wont exist - and thus force a new cookie on all your users
Related
I have:
mydomain.com (which is the portal of the game, global setting and stuff)
game.mydomain.com (which is the the actual game)
The problem is that I want to set a cookie that is available globally, on game.mydomain.net, mydomain.net (and whatever subdomain i'm going to create in the future).
I've been trying to set the cookie from another subdomain as I've read that subdomains can set cookies to parent domains but not vice versa (which is wierd and I guess I've read it wrong). Whatever, so I've done another account.mydomain.com (from which I'm making an ajax call form mydomain.net so the user can authenticate) and I'm using
setcookie('session', $value, time() + 2592000 (one month), '/', '.tribul.net');
Then, return the success message and refresh the main page on mydomain.net so it can read the new cookie value.. problem is, there's no cookie set. I've also been trying to set the cookie from mydomain.com (as .tribul.net) so it can be avaialable on all subdomains but it's available only on the main domain. What's wrong?
I need to connect all subdomains and the domain to the same cookie, TO BE NOTICED, I am setting the cookie in a backend file named process.php (placed in account.domain.com) as result of an ajax request.
Try this setcookie('session', $value, time() + 2592000 , '', '.tribul.net');
In php.ini:
session.cookie_path = /
session.cookie_domain = ".mydomain.com"
Set Cookie:
setcookie('session', $value, time() + 2592000, '/', 'mydomain.com');
I used Klaus Hartl's jquery cookie plugin in order to use my problem since I haven't been able to set up a global cookie from the ajax backend.
I'm using the codeigniter with xampp on a windows 7 PC.
I'm trying to use codeigniter's built in cookies, but I can't seem to get my cookies to set/stay. I know that the cookie code is going off, it's just not actually saving.
Here's the cookie code:
$this->input->set_cookie('userID', $userID, time()+259200, 'http://localhost', '/');
After running this and on every page, I've included print_r($_COOKIE); to see any/all cookies that are being set, but nothing shows up.
Is there something I've missed?
According to the docs:
The expiration is set in seconds, which will be added to the current
time. Do not include the time, but rather only the number of seconds
from now that you wish the cookie to be valid. If the expiration is
set to zero the cookie will only last as long as the browser is open.
So your code should be like this:
$this->input->set_cookie('userID', $userID, 259200);
Also i recommend you to set domain name and cookie path in the config file.
Here's the solution for anyone else that runs into this problem:
Cookies cannot be created on localhost, you'll need to use http://127.0.0.1 instead.
Go into CI's application/config/config.php and change any references to localhost you might have and change them instead to http://127.0.0.1 and do the same for the cookies. Set the following variables as well:
$config['cookie_domain'] = "127.0.0.1";
$config['cookie_path'] = "/";
Then to store the cookie: $this->input->set_cookie('userID', $userID, 259200);
Previously i was creating additional cookie "rememberme" with unique hash, that was stored in the database, mapped to the user id.
If user had such cookie - website tried to find it's value in database, and if it was found session was setting up.
Later, developing new project i thought that it is maybe not very secure to generate this unique hash by myself, and keeping two cookies (native "PHPSESSID" + my "rememberme") for one operation (user identification) is overkill.
Maybe there is a way to setup not global session lifetime, but to setup it individually for different user sessions... or maybe it is better to keep user sessions in the database, mapped to the userid?
UPDATE 1
I thought if it is so hard to make "remember me" button, we can go another way - to make "Not my computer button". Idea is to set default cookie_lifetime for a week in php.ini (for example), and if user checkes this checkbox - we will set cookie_lifetime into zero using session_set_cookie_params function.
So, 1st question is - will session_set_cookie_params affect other users cookies (in documentation it is said, that session_set_cookie_params options will have effect until php process will be executing)
2d question is that if session_set_cookie_params is not affecting global settings, will session regeneration affect users, that don't want to keep a long-life cookie?
UPDATE 2: [Question 1 answer]
Just tested session_set_cookie_params function.
I wrote a script, that sets session cookie lifetime into zero using session_set_cookie_params and then executing for 30 seconds:
if ($_GET['test']) {
session_set_cookie_params (0);
while (true) {
sleep(1);
}
}
session_start();
So, in first browser i just started this script with ?test=1 parameter, just after that (while this script was executing) i started this script without parameters in the second browser. The answer is no - second browser's cookie was not affected. It had lifetime, that was specified in php.ini
UPDATE 3: [Question 2 answer]
Then, i've tried to check if regeneration affects session cookie lifetime, that was set by session_set_cookie_params.
Yes, it affects. If i set session cookie with customized lifetime, that was set by session_set_cookie_params, and then call session_regenerate_id(), cookie will have lifetime, set in php.ini
But, if we set session_set_cookie_params (0) before calling session_regenerate_id(), our cookie will have correct lifetime.
So, that's it! That was easy! 8)
Thank you, ladies and gentlemen!
If you want to do this only using sessions you can do the following if the user wants to be remembered:
if((isset($_POST['remember_me']) && $_POST['remember_me']) || ($_COOKIE['remember_me']) && $_COOKIE['remember_me'])) {
// store these cookies in an other directory to make sure they don't
// get deleted by the garbage collector when starting a "non-remeber-me"-session
$remember_me_dir = ini_get('session.save_path') . DS . "remember_me_sessions";
// create the directory if it doesn't exist
if (!is_dir($remember_me_dir)) {
mkdir($remember_me_dir);
}
// set the php.ini-directive (temporarily)
ini_set('session.save_path', $remember_me_dir);
// define lifetime of the cookie on client side
$expire_cookie = 60 * 60 * 24 * 30; // in seconds
session_set_cookie_params($expire_cookie);
// lifetime of the cookie on server side
// session file gets deleted after this timespan
// add a few seconds to make sure the browser deletes
// the cookie first.
$garbage_in = $expire_cookie + 600; // in seconds
// set the php-ini directive for the garbage collector of the session files.
ini_set('session.gc_maxlifetime', $garbage_in);
// send an additional cookie to keep track of the users
// which checked the 'remember_me' checkbox
setcookie('remember_me', 1, time() + $expire_cookie);
}
// now we are ready to start the session
// For all the users which didn't choose to check the 'remember_me' box
// the default settings in php.ini are used.
session_start();
Here you can read more about the session related php.ini-directives
As it was so hard to make "remember me" checkbox functionality, i came to another way, using only one cookie.
PREPARATION
1) I've prepared a form with three inputs:
"login" input [type=text]: user's login
"password" input [type=password]: user's password
"not my computer" input [type=checkbox]: that will tell us to use session cookie with lifetime = 0 (cookie must be deleted when browser will be closed)
2) I've set session.cookie_lifetime = 100500 to keep long-life cookies by default.
COOKIE SETUP
So, after user submits the form, we check - if he has selected to use short sessions - we call session_set_cookie_params(0) before setting session cookie to him (before actually using session_start()).
COOKIE REGENERATION
Then, when we need to regenerate session cookie, we can also do this easily with session_regenerate_id() function.
But we need to remember, that this function will re-set session cookie lifetime from php.ini by default.
So, we need also to call session_set_cookie_params() before regenerating a cookie.
BTW, You can store custom session cookie lifetime in $_SESSION.
It will look like this:
// Form handling, session setup
if ($_POST['not-my-computer']) {
session_set_cookie_params(0);
session_start();
$_SESSION['expires'] = 0;
}
// Session regeneration
if (isset($_SESSION['expires'])) {
session_set_cookie_params(0);
session_regenerate_id();
}
Details for this answer (and more deep explanations) you can find in the question text (while i was testing, i added answers/tests results there)
EDITED, look at the end
I got a Symfony 1.2 project, that was running on two domains (different app used on each domain) : www.mywebsite.com and abonnement.mywebsite.com
I had two different cookie name/domain in each app.
We decided to use the same cookie for both apps. So, i edited the config for both apps and set the cookie_domain to .mywebsite.com, and setted the cookie_name to mywebsite_cookie in boths apps.
The problem is that when I visit abonnement.mywebsite.com, the old cookie is used. Manually deleting this cookie in my browser fixes the problem, but there are thousands of users on this website and I'm wondering if there's a solution to manually delete this cookie.
I tried :
if (isset($_COOKIE['abonnement_cookie'])) {
ini_set('session.cookie_domain', 'abonnement.mywebsite.com);
setcookie('abonnement_cookie', '', time() - 3600, '/');
$this->redirect('#internet_etape_1');
}
But no success.
Is there a way to do it?
I'm using Firefox 9.0.1
Thanks!
Edit:
I found the problem, cookie was created with "host" and not "domain".
To use the current host, you need to specify '' as domain :
setcookie('abonnement_cookie', 0, time() - 3600, '/', '');
Hope this helps!
You need to match the domain and path that which was used to create the cookie when destroying the cookie. This is because as you have discovered, it is possible to have a cookie with the same name and different scopes for the same domain. When destroying the cookie, you must match the scope that was used to create it, so the client knows which one to destroy.
Try:
setcookie('abonnement_cookie', '', time() - 3600, '/', 'abonnement.mywebsite.com');
OK, I'm stumped, and have been staring at this for hours.
I'm setting a cookie at /access/login.php with the following code:
setcookie('username', $username, time() + 604800, '/');
When I try to logout, which is located at /access/logout.php (and rewritten to /access/logout), the cookie won't seem to unset. I've tried the following:
setcookie('username', false, time()-3600, '/');
setcookie('username', '', time()-3600, '/');
setcookie('username', '', 1, '/');
I've also tried to directly hit /access/logout.php, but it's not working.
Nothing shows up in the php logs.
Any suggestions? I'm not sure if I'm missing something, or what's going on, but it's been hours of staring at this code and trying to debug.
How are you determining if it unset? Keep in mind that setcookie() won't remove it from the $_COOKIE superglobal of the current script, so if you call setcookie() to unset it and then immediatly print_r($_COOKIE);, it will still show up until you refresh the page.
Try pasting javascript:alert(document.cookie); in your browser to verify you don't have multiple cookies saved. Clear all cookies for the domain you're working on to make to sure you're starting fresh. Also ini_set(E_ALL); to make sure you're not missing any notices.
Seems to be a server issue. My last domain was pretty relaxed on PHP error handling while the new domain shows every error. I'm using both sites side by side and the old one removes the cookie as it should.
Is there perhaps a timezone issue here? Have you tried setting using something farther in the past, like time() - (3600*24)? PHP's documentation says that the internal implementation for deleting cookies uses a timestamp of one year in the past.
Also, you should be able to use just setcookie('username', false); without passing an expiration timestamp, since that argument is optional. Maybe including it is confusing PHP somehow?
How you use cookies data in your application?
If you read the cookies and check if username is not false or not '', then setting it to false or '' will be sufficient, since your application will ignore the cookies value.
You better put some security in cookies value, to prevent user change it's value. You can take a look of CodeIgniter session library, see how CI protect the cookies value using hash. Unauthorized value change will detected and the cookies will be deleted.
Also, CI do this to kill the cookies:
// Kill the cookie
setcookie(
$this->cookie_name,
addslashes(serialize(array())),
(time() - 31500000),
$this->cookie_path,
$this->cookie_domain,
0
);
You can delete cookies from javascript as well. Check here http://www.php.net/manual/en/function.setcookie.php#96599
A simple and convenient way, is to use this additional functions:
function getCookie($name) {
if (!isset($_COOKIE[$name])) return false;
if ($_COOKIE[$name]=='null') $_COOKIE[$name]=false;
return $_COOKIE[$name];
}
function removeCookie($name) {
unset($_COOKIE[$name]);
setcookie($name, "null");
}
removing a cookie is simple:
removeCookie('MyCookie');
....
echo getCookie('MyCookie');
I had a similar issue.
I found that, for whatever reason, echoing something out of logout.php made it actually delete the cookie:
echo '{}';
setcookie('username', '', time()-3600, '/');
I had the same issue; I log out (and I'm logged out), manually reload the index.php and then I'm logged in again. Then when I log out, I'm properly logged out.
The log out is a simple link (index.php?task=logout). The task removes the user from the session, and "deletes" (set value '' and set expiry in the past) the cookie, but index.php will read the user's auth token from the cookie just after this (or all) task (as with normal operations). Which will reload the user. After the page is loaded the browser will show no cookie for the auth token. So I suspect the cookie gets written after page finish loading.
My simple solution was to not read the cookie if the task was set to logout.
use sessions for authentication, don't use raw cookies
http://www.php.net/manual/en/book.session.php