I'm making another project and I'm using cookies to store some unimportant login information.
My problem is that if I go to "www.domain.com", the cookie can be accessed, however, if I go to "domain.com", the cookie cannot be accessed.
I'm writing my project in PHP so if anyone has the answer, or a solution to this problem that would be great.
Thanks,
Mark.
When you set the cookie, set it as .domain.com.
ini_set('session.cookie_domain', '.site-name.com');
or
setcookie ("cookie_name", "", time() + 3600, "/", ".site-name.com", 1);
Related
I have a function that sets cookies; in this function I use PHP's setcookie function in order to set cookies, for example:
setcookie('auth', $token, time() + 3600);
The function I'm using setcookie in is as follows:
function SetAuthenticationCookie($id, $rememberme) {
$token = md5(uniqid(mt_rand(), true));
executeNonUserQuery([db query]);
if ($rememberme) {
setcookie('auth', $token, time() + (86400 * 90));
setcookie('profid', $id, time() + (86400 * 90));
}
else
{
setcookie('auth', $token, time() + 3600);
setcookie('profid', $id, time() + 3600);
}
}
The above cookie should be valid for one hour, and appears this way in the browser (see below screenshot).
In the browser the cookies show before it redirects (the page is dynamic), therefore the cookies are being set. However they disappear when the page redirects. This causes a problem because the main UI page (where the login page redirects) checks for the presence of the authentication cookies and redirects back to the login page if they don't exist.
I followed the official documentation for setcookie and am unable to see what the problem is. Chrome reports that the cookie path is /internal therefore it's a possibility that the actual page can't access them (the page path is /pages), but this still doesn't explain why they disappear completely from Chrome.
The cookie is set to expire in an hour after it is set, but this doesn't explain the disappearance of the cookies unless I'm missing something crucial in setcookie concerning the setting of the expiration time. I experience the same issue in other browsers, so it has to be something that I've done wrong or missed.
I confirm that I have nothing that unsets or expires the cookies (I haven't implemented that yet). I've tried setting the path to / but this doesn't fix the problem.
What am I doing wrong, and how can I fix it?
I'm aware of the security issues here, my priority is to fix this problem first.
This issue was caused by two factors:
The cookie path
PHP's timezone
As mentioned in the question I had already tried setting the cookie path to / with no effect. However I did not consider PHP's timezone, which was set to UTC.
Setting the timezone to the correct Europe/Guernsey plus setting the cookie path to / (root) fixed the issue.
Ok, add a path and make it available to the whole website rather than just the folder the first script is in
setcookie('auth', $token, time() + 3600, '/');
EDITED, look at the end
I got a Symfony 1.2 project, that was running on two domains (different app used on each domain) : www.mywebsite.com and abonnement.mywebsite.com
I had two different cookie name/domain in each app.
We decided to use the same cookie for both apps. So, i edited the config for both apps and set the cookie_domain to .mywebsite.com, and setted the cookie_name to mywebsite_cookie in boths apps.
The problem is that when I visit abonnement.mywebsite.com, the old cookie is used. Manually deleting this cookie in my browser fixes the problem, but there are thousands of users on this website and I'm wondering if there's a solution to manually delete this cookie.
I tried :
if (isset($_COOKIE['abonnement_cookie'])) {
ini_set('session.cookie_domain', 'abonnement.mywebsite.com);
setcookie('abonnement_cookie', '', time() - 3600, '/');
$this->redirect('#internet_etape_1');
}
But no success.
Is there a way to do it?
I'm using Firefox 9.0.1
Thanks!
Edit:
I found the problem, cookie was created with "host" and not "domain".
To use the current host, you need to specify '' as domain :
setcookie('abonnement_cookie', 0, time() - 3600, '/', '');
Hope this helps!
You need to match the domain and path that which was used to create the cookie when destroying the cookie. This is because as you have discovered, it is possible to have a cookie with the same name and different scopes for the same domain. When destroying the cookie, you must match the scope that was used to create it, so the client knows which one to destroy.
Try:
setcookie('abonnement_cookie', '', time() - 3600, '/', 'abonnement.mywebsite.com');
Why cookie values showing in browser even after it deleted by using PHP code, I am viewing cookie values by using FireFox "View Cookies addon". It will disappear only after delete or clear my browser cookies manually. I asking this question because of my work will work only after deleting cookies from browser manually, if i unset cookie in PHP code and run , it will not work, i am un setting cookie value by setting its expire date with past value.Example:
setcookie ("myCookie", "", time() - 3600, "/", ".example.com");
Code I am using for setting cookie:
setcookie ('Event', '', time() - 3600, '/', '.example.com');
Code I am using for unsetting cookie:
setcookie('Event', '-1-1301223453%7C9de8f7c08bf2be19c125f86ced33a0c2%7C1301050653%7C-1%7C1301223453', '', '/', '.example.com', 0);
But if i print cookie value after it unset it will be blank(nothing), but it will show in browser
Please any one help!!
That is completely based on browser settings you are viewing in and you are asking that the browser is still showing the cookies. That is true browser is still showing the cookies but you will get relax when you check it in PHP the cookie is unset.
print_r($_COOKIE);
show you the active cookies.
Remember when you clear cookies from your browser tool then cookie will be erased but when you unset from the PHP they are set to the time in past not erased from browser history.
Delete cookie with setcookie("myCookie");
What about trying this approach?
// unset cookies
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
This could have various reasons. First of all, check if the cookie is set at all. Then make sure it uses the same parameters (except the expiration) as when the cookie was originally set. And for the expiration parameter, use a value that is definitely long in the past (one hour could be too little if your server’s time is off by some hours):
setcookie($cookieName, 'deleted', 1, $cookiePath, $cookieDomain);
here is a simple tutorial about delete cookie by php
first we set the cookie value and expire date.
setcookie('test', 'test', time() + 3600);
visit the page, you'll see the cookie 'test' has successfully created
then, we change the php code to delete cookie 'test', just set a passed date value for it
setcookie('test', 'test', time() - 3600);
visit the page again, you'll find the cookie 'test' has gone
btw: i was use the fire cookie extension to check the cookie value.
hope this simple tutorial can help you.
OK, I'm stumped, and have been staring at this for hours.
I'm setting a cookie at /access/login.php with the following code:
setcookie('username', $username, time() + 604800, '/');
When I try to logout, which is located at /access/logout.php (and rewritten to /access/logout), the cookie won't seem to unset. I've tried the following:
setcookie('username', false, time()-3600, '/');
setcookie('username', '', time()-3600, '/');
setcookie('username', '', 1, '/');
I've also tried to directly hit /access/logout.php, but it's not working.
Nothing shows up in the php logs.
Any suggestions? I'm not sure if I'm missing something, or what's going on, but it's been hours of staring at this code and trying to debug.
How are you determining if it unset? Keep in mind that setcookie() won't remove it from the $_COOKIE superglobal of the current script, so if you call setcookie() to unset it and then immediatly print_r($_COOKIE);, it will still show up until you refresh the page.
Try pasting javascript:alert(document.cookie); in your browser to verify you don't have multiple cookies saved. Clear all cookies for the domain you're working on to make to sure you're starting fresh. Also ini_set(E_ALL); to make sure you're not missing any notices.
Seems to be a server issue. My last domain was pretty relaxed on PHP error handling while the new domain shows every error. I'm using both sites side by side and the old one removes the cookie as it should.
Is there perhaps a timezone issue here? Have you tried setting using something farther in the past, like time() - (3600*24)? PHP's documentation says that the internal implementation for deleting cookies uses a timestamp of one year in the past.
Also, you should be able to use just setcookie('username', false); without passing an expiration timestamp, since that argument is optional. Maybe including it is confusing PHP somehow?
How you use cookies data in your application?
If you read the cookies and check if username is not false or not '', then setting it to false or '' will be sufficient, since your application will ignore the cookies value.
You better put some security in cookies value, to prevent user change it's value. You can take a look of CodeIgniter session library, see how CI protect the cookies value using hash. Unauthorized value change will detected and the cookies will be deleted.
Also, CI do this to kill the cookies:
// Kill the cookie
setcookie(
$this->cookie_name,
addslashes(serialize(array())),
(time() - 31500000),
$this->cookie_path,
$this->cookie_domain,
0
);
You can delete cookies from javascript as well. Check here http://www.php.net/manual/en/function.setcookie.php#96599
A simple and convenient way, is to use this additional functions:
function getCookie($name) {
if (!isset($_COOKIE[$name])) return false;
if ($_COOKIE[$name]=='null') $_COOKIE[$name]=false;
return $_COOKIE[$name];
}
function removeCookie($name) {
unset($_COOKIE[$name]);
setcookie($name, "null");
}
removing a cookie is simple:
removeCookie('MyCookie');
....
echo getCookie('MyCookie');
I had a similar issue.
I found that, for whatever reason, echoing something out of logout.php made it actually delete the cookie:
echo '{}';
setcookie('username', '', time()-3600, '/');
I had the same issue; I log out (and I'm logged out), manually reload the index.php and then I'm logged in again. Then when I log out, I'm properly logged out.
The log out is a simple link (index.php?task=logout). The task removes the user from the session, and "deletes" (set value '' and set expiry in the past) the cookie, but index.php will read the user's auth token from the cookie just after this (or all) task (as with normal operations). Which will reload the user. After the page is loaded the browser will show no cookie for the auth token. So I suspect the cookie gets written after page finish loading.
My simple solution was to not read the cookie if the task was set to logout.
use sessions for authentication, don't use raw cookies
http://www.php.net/manual/en/book.session.php
Why when set php cookie path to "/" doesn't work for every subdirs in the domain, but just for the current directory.
cookie is set like:
setcookie("name", "val", expire_time, "/");
It just doesn't want to work.
try including the domain parameter:
setcookie("name", "val", expire_time, "/", ".domain.com");
// don't forget the prefixing period: .domain.com
that will enable all sudomains of "domain.com"
Are you testing on localhost? In that case, you need to pass null as the value for $domain.
Setting the cookie path to / should make it available to the entire domain. If you set your cookie like that, and it isn't being sent, there is something else wrong.
Try using the Web Developer addon in Firefox. It shows you details on the available cookies. Maybe that can help you diagnose the problem.
Late to the party, I know. But I just discovered that my issue was pretty stupid, but I'll post it for completion:
I was neglecting to add time() to the expires time on the cookie, so it was expiring immediately.
The expires time should be time() + seconds