This is the YouTube cookies in my browser
f2=8000000&f3=800&f1=50000000&fv=11.1.102
How can I find out Which part of the expiration time.
and Is it possible to be an endless cookie expiration time ?
I think your question can be answered in three different ways depending on what you're exactly asking.
1) The expiration time is not set in the cookie itself, but during the request that the server sends to your browser to save the cookie. If you want to change one of your current cookies to not expire for a very long time, say in 25 years, you would need to check how your browser saves cookies and how to modify them. Google Chrome and Firefox both provide plugins to do this.
2) However, since you reference PHP in your tags, I believe you're asking how to set a cookie to have an expiration date very far in advance using PHP. You would do this with the setcookie() function. For example, you could do something like
setcookie('name_of_cookie', 'value_of_cookie', time()+60*60*24*365*25);
would set a cookie with your values to expire in 25 years.
3) If you want to change a Youtube cookie, or any cookie really, that doesn't belong to your website/domain, you really can't. Most modern web browsers will not allow you to update a cookie from a different domain, to help prevent cross site requests. In other words, you can't change what you don't own.
Browser should respect web site demanding expire time for cookies, but if you are implementing in php, you don't have to care about it.
f2=8000000&f3=800&f1=50000000&fv=11.1.102
There are 4 cookies here, f2, f3, f1 and fv, no expiration info here.
You only have to assign them using curl_setopt
curl_setopt($ch, CURLOPT_COOKIE, "f2=8000000;f3=800;f1=50000000;fv=11.1.102");
As long as you always set them, they are cookies with endless expire time.
Related
How can I keep the user's session active, even if they accidentally closed their browser. Like in Facebook for example.
If you log in to their site and you close the tab or the browser, when you open a browser again and visits Facebook, they will automatically detect the active user and will not redirect you to the log in page.
How do I do that?
There's two relevant settings that control session's lifetime.
The first is session.cookie-lifetime. This is the lifetime of the cookie, which by default is 0, which means the cookie is destroyed when the browser is closed. You can set a longer lifetime by increasing this variable. It is relative to the server time, so you need to account for differences in the time in your clients' machine and your server's. Assuming they were the same, setting the option to i.e. 3600 would mean the session would expire in an hour. If you want to keep the session alive for a very long time, you increase this number.
However changing this value is not enough. There's also session.gc-maxlifetime, which is the time after which the session data is seen as garbage in the storage and is destroyed. This differs from session.cookie-lifetime because this option checks the last access time of the session data, so it is relative to the time the session data was last used (i.e. when the user was last active). Even if you set your session.cookie-lifetime to a high value, it'll not be enough because session.gc_maxlifetime is relatively low usually (1440 is the default, which is only 24 minutes).
While you can set these settings both to relatively high values and have it working, I would recommend against doing so, as this will leave a lot of unnecessary session data hanging around in your session storage, due to the GC not collecting actual dead session (which also increases the chance of someone hijacking a session in a system that is not properly secured). A better approach is making a remember me cookie. Basically you assign the user's ID and some authentication token that you store in the database for each user (this is to prevent someone spoofing the cookie) in the cookie, and give it a long lifetime. In your application's initialization code you'll check if the user is logged in. If he/she is not logged in, you'll check if the remember me cookie is set. If it is, you pull the user from the database based on the user ID in the cookie, and then validate the authentication token in the db is the same one as in the cookie. If they match, you simply create the session and log the user in automatically.
For anyone that come across this same issue, to keep the session cookie set for a long time is easy, on the login form, when you are creating the session for first time use this code, it will set the cookie time for a year (use your own time as its needed).
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365);
ini_set('session.gc-maxlifetime', 60 * 60 * 24 * 365);
session_start();
That should set the PHPSESSID cookie and your session will be safe... but is not the most secure way, so use it if you don't mind security issues
By default, PHP keeps a user's session open until their browser is closed. You can override that behaviour by changing the session.cookie-lifetime INI setting:
http://www.php.net/manual/en/session.configuration.php
However please see rekot post for a full answer
You should use cookies: http://php.net/manual/en/function.setcookie.php
Just store there some unique value that will help you identify the user.
Anyway, I strongly recommend you using some kind of framework, like CodeIgniter or Zend Framework, unless you're just learning how it works. It is easy to make critical mistakes in such a code and most frameworks are already well tested and safe to use.
I am new to php , I came across cookie and persistent cookie and i understand the difference between them.My question is that how can i make cookie persistent or temporary.I found only one syntax for cookies
<?php
setcookie("user", "Alex Porter", time()+3600);
?>
Thanks
Phisically speaking, there is only one kind of cookie. You can make it persistent by choosing a large enough expiration time. If the expiration time is set to 0, the cookie will last only until your page is opened in the browser.
Your example cookie is persistent, it expires in one hour.
Here is a link with a short explanation.
Most likely you can hardly access the phisical cookie on your hard disk, because borwsers store them in their internal logic. For example Firefox store cookies in a local SQLite database file in the browser's profile folder.
When creating a cookie, 3rd argument (time()+3600 in your example) specifies cookie's expiry date.
time()+3600 means now+3600 seconds, which is 1 hour in the future. Time() function returns current time (unix time) in seconds.
There is no such thing as a really permanent cookie, more like expiring far in the future cookie.
I have developed this PHP web application which is now running for some months. Suddenly one of the users complained that he was able to login, but the session was terminated as soon as he clicked on any button! The same problem happened on different browsers.
After some tests I realized that a brand new session ID was created every time the user clicked on any button, probably because the original session was expired.
For whatever reason I took a glance at the user's computer clock and... surprise! His clock was 3 months in the future! I didn't know if such thing could have any relation to the failure, but I did fix the clock. Still it didn't work. I erased all cookies. Still nothing. So I restarted the browser - and then it started working again!
The closest information I got about this issue was Shimon Amit's answer to this question. Good, now I know that the clock "misconfiguration" is the cause. The problem is... I cannot keep every customer's computer clock under control. Some of them may have their computer clocks set in the future.
My question: is there any solution for this? Any trick? I don't want customers to face such errors as they may find it "lame" and break their trust on the application, even though it's not really my fault (in a sense).
Session cookies (like all cookies) are controlled and deleted when expired by the client browser. Even if you set a far out expire date (which you might not want to do anyhow) all the client needs to do is move his clock even farther forward and it will expire.
You can extend your session timeout to a later date. Perhaps you can use cookies that don't expire (sessions are related to cookies on the client side) Otherwise, your client's browser is just doing what it's designed to do.
EDIT: Javascript Option
This is a total hack, but you COULD use javascript to get the current time on the client machine and send it back to the server, then adjust the timeout on your session cookie to expire three months after that. See http://www.w3schools.com/jsref/jsref_gettime.asp
Once you have retrieved the client time, you can reset the session expiration using session_cache_expire(). http://www.php.net/manual/en/function.session-cache-expire.php
EDIT: 100% Server Side Option
Another option that I thought of would be to set a session cookie with no expiration, but track the time the cookie was set on the server, say in a MySQL table. You would also need to keep track of the last activity. Whenever a logged in user makes a request, you could check the start time of their session and their last activity. If the current time is greater than your acceptable timeout for either of these, then destroy the session server side and bring them back to the log in page. If the session is still ok, then update the last activity associated with that user so you can compare on the next request. No client side code necessary.
I fully agree with #MarcB's comment that you can't assume responsibility for how grossly misconfigured a user's machine could be. If you really want to make a difference in this regard I would suggest using PHP to output a small snippet of javascript that includes the time on the server. The snippet would compare that time to the time on the client computer and raise an alert if the time differs by more than X from the server. [say, 24hours or so]
Any trick?
Use session cookies. Not session in the meaning of PHP sessions, but browser session. Session cookies are stored until the user closes the browser. They are immune to whichever clock the user has set her computer. They will last until the browser is closed.
That is normally appropriate for PHP-session related cookies.
For PHP you need to ensure that the session cookie parameter lifetime is configured to 0 before the session starts. That is either the ini setting session.cookie_lifetime or by calling the session_set_cookie_params function.
For a more detailed description of cookie parameters, see the documentation of the setcookie function.
Second part of the trick is that you place a session start timestamp and a last activity timestamp into the PHP $_SESSION. Those are server based so have always the same base.
Check them, e.g. if the session is too old, last activity too long ago etc., destroy the session and force the user to login again.
You could even use that second part of the trick to combine it with a cookie that has it's expiry 10 years in the future (okay, browser might not like that, maybe you just want your three months).
Try to disable the session timeout or at least set it far into the future. That should do the trick.
How can I keep the user's session active, even if they accidentally closed their browser. Like in Facebook for example.
If you log in to their site and you close the tab or the browser, when you open a browser again and visits Facebook, they will automatically detect the active user and will not redirect you to the log in page.
How do I do that?
There's two relevant settings that control session's lifetime.
The first is session.cookie-lifetime. This is the lifetime of the cookie, which by default is 0, which means the cookie is destroyed when the browser is closed. You can set a longer lifetime by increasing this variable. It is relative to the server time, so you need to account for differences in the time in your clients' machine and your server's. Assuming they were the same, setting the option to i.e. 3600 would mean the session would expire in an hour. If you want to keep the session alive for a very long time, you increase this number.
However changing this value is not enough. There's also session.gc-maxlifetime, which is the time after which the session data is seen as garbage in the storage and is destroyed. This differs from session.cookie-lifetime because this option checks the last access time of the session data, so it is relative to the time the session data was last used (i.e. when the user was last active). Even if you set your session.cookie-lifetime to a high value, it'll not be enough because session.gc_maxlifetime is relatively low usually (1440 is the default, which is only 24 minutes).
While you can set these settings both to relatively high values and have it working, I would recommend against doing so, as this will leave a lot of unnecessary session data hanging around in your session storage, due to the GC not collecting actual dead session (which also increases the chance of someone hijacking a session in a system that is not properly secured). A better approach is making a remember me cookie. Basically you assign the user's ID and some authentication token that you store in the database for each user (this is to prevent someone spoofing the cookie) in the cookie, and give it a long lifetime. In your application's initialization code you'll check if the user is logged in. If he/she is not logged in, you'll check if the remember me cookie is set. If it is, you pull the user from the database based on the user ID in the cookie, and then validate the authentication token in the db is the same one as in the cookie. If they match, you simply create the session and log the user in automatically.
For anyone that come across this same issue, to keep the session cookie set for a long time is easy, on the login form, when you are creating the session for first time use this code, it will set the cookie time for a year (use your own time as its needed).
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365);
ini_set('session.gc-maxlifetime', 60 * 60 * 24 * 365);
session_start();
That should set the PHPSESSID cookie and your session will be safe... but is not the most secure way, so use it if you don't mind security issues
By default, PHP keeps a user's session open until their browser is closed. You can override that behaviour by changing the session.cookie-lifetime INI setting:
http://www.php.net/manual/en/session.configuration.php
However please see rekot post for a full answer
You should use cookies: http://php.net/manual/en/function.setcookie.php
Just store there some unique value that will help you identify the user.
Anyway, I strongly recommend you using some kind of framework, like CodeIgniter or Zend Framework, unless you're just learning how it works. It is easy to make critical mistakes in such a code and most frameworks are already well tested and safe to use.
Normally a php session expires when the user closes the browser. Is is possible to create a session in php that never expires, doesn't matter how many times user closes and restart the browser?
Thanks
Not strictly endless, but you can set the cookie lifetime to two years or so which comes pretty close:
session.cookie-lifetime ini setting
session_set_cookie_params()Docs function to set them programmatically.
The session cookie won't be deleted then if the user closes the browser.
Take care that your session data store keeps the data as well that long. This is important. And keep in mind that you need to store all user's data for this large time-span, so you should have enough space available.
This does not work at all if the user disables cookies in her or his browser.
It is never endless. But you can set cookies/session for more than 10 years in future. However, your server is gathering more and more session files, be aware of that. I collected almost a million files in my tmp directory
No, the best you can do is set a cookie with an expiration date far in the future.
Even then, the user can just delete it without even closing the browser or leaving the site, so don't rely on it.