I’m adding a notification to my website about a new feature that has been implemented. The notification is near the top of the website, in an eye-catching place to get people’s attention. Using jQuery, I wrote a small function that hides the notification when the user chooses to. If the user chooses to hide the notification, I want it to be hidden permanently for the remainder of the visit and on future visits to the website.
What would be the best way to make sure that when they return to the website later on, the notification is hidden? I thought about sending an AJAX request that creates a cookie when the user initially hides it, then checking for the cookie when the page loads, but I’m not sure if that’s the best way to do it. I don’t want to hide it based on IP address because I’m afraid that two users on the same network but different computers might access the website, and one will miss it, but maybe I’m being too paranoid. Any ideas on the best way to do this?
Why not just create/read the cookie with javascript?
I would suggest using javascript to set/read the cookie as well. Since you're already using jQuery I would suggest the jquery.cookie plugin. The only reason for doing an AJAX request to save the user's preference is if your user is logged into the site and you want to store their preference in a database or some other persistent storage so that whenever they are logged in they don't see the message about your new feature.
If the server does not need to be aware of the value of the cookie I would suggest you use localStorage instead.
localStorage exists on the client and does not get sent with the $_COOKIES header to the server.
More can be read about localStorage here
And even more can be read as per why you would want localStorage over cookies for client side data here Local Storage vs Cookies
Related
I am working on an android app that is actually gets user data from android device and then to put it on the server, like to get user name, password, email for registration purpose and then user login to access the app menu (to see list of products, search for products and to add his/her own product details in the list). So using cookies and sessions would be a good idea for my app. Cookies can be blocked by the user and sessions every time to login to access.
But as i am totally new to this concept of cookies and sessions so it would be good to ask a question here before i have to start, that which one should i use cookies or sessions ?
The user can not block cookies. Cookies are simply headers that you will send in each request.
Cookies are easier to handle on the server side. You will simply use $_SESSION["variable"] to get/set any variable for the user. It will simplify your life on the server. However, I think the main drawback will be maintainability and administration of sessions. For example, if a user logs in again on a different device and you want the first session to be invalidated. It is not very straight forward.
If you want to use sessions, you will probably save them in a table on some database. You will need to fetch the session details when you need them. This is sort of extra effort. Yet, database sessions provide some kind of administration capabilities straight away.
I prefer database sessions for what is stated above and some other reasons. However it is up to you
In my login code on my website, if the password & username are correct, I set a cookie to keep the user logged in.
I just heard from a user that he doesn't accept cookies automatically through his browser, and that that prevents him from logging in. That rhe cookie is not set.
Is there an easy way to counter that?
Tell me if you need the code I use.
It is possible to get this to work but often a real pain if you're using complex javascript/ajax.
In short, instead of storing the session id in a cookie, you embed it at the end of every link.
so
http://example.com/somepage.php
becomes
http://example.com/somepage.php?SessionId=ABC123
Unfortunately, while PHP can do this for you in some cases, it doesn't help with links you build yourself in javascript - and it only takes clicking a single link without the id to effectively log the user out
See this page for more information
As mentioned by Quentin in the comments, if you're not using a cookie to identify the browser which created the session, it's possible that sharing a link would share the session. This could be mitigated but not prevented by checking IP address/user agent but this would likely fail in large corporate environments with NAT and standard browsers
On my webpage I'm using a cookie that's set to 1 if they're admin
0 if they're not
so admins can have access to certain features,
how hard would it be for somebody to make a 0 into a 1 in their local cookie if they wanted to?
Cookies live on the client-side, so of course they are editable. Like everything else that comes from the client, cookies cannot be assumed secure, ever. It would be very easy for someone to make themself an admin using your design.
Don't be lazy; store the privileges on the server side and only on the server side.
It's actually pretty easy to edit a cookie. Extensions such as chrome edit this cookie allow for it to be done without even leaving the browser.
I use this for simple things like web tracking on news paper sites that limit the amount of articles you can view. I reset the cookie count and voila, I am able to view more articles.
google edit this cookie if you want to demo it and apply it to your site.
Editing a cookie is easy.
But is this what you really meant?
Session variables are stored on the server and thus cannot be modified by the client. The client only stores an ID that refers to the session.
If any site visitor fills the form without login to the application then if he visits
the site again from the same pc then he should be able to view his last filled
information.
But I do not have any idea how to do it.Its a PHP application.
Thanks
Gaurav
You can Track A record Of User's Ip So Its Value You Can Use When user filling up form
Cookies are probably the best option but you could do this with html 5, javascript and local storage.
One possible solution is to save the Information that the user provided into a cookie.
But cookies are handled by the browser and if the user has confed his browser to delete cookies after closing the info will get lost.
So it depends on the users browser setting if it will work.
(http://php.net/manual/de/function.setcookie.php)
Another Solution for newer Browsers would be to use the DOM Storage as Supercookie.
Or directly store the form information to the local storage.
Both are HTML5 features and not properly implemented in all browsers.
dom-storage-super-cookie
html5_webstorage
Store the information in cookies. Read those back when the user visits again from the same browser and prefill your form elememts.
One possible solution is the use of persistent cookies - they are attached to the browser and outlive sessions and Browser restarts. See https://en.wikipedia.org/wiki/HTTP_cookie#Persistent_cookie
These cookies can be denied and removed if the user wants to.
Say I have an ASP.NET webpage and I also have a PHP Blog/BBS/Website. I want all logins to be done via the ASP.NET webpage. The ASP.NET Session State is stored in SQL. Is there any way I can read/decode the Session State from PHP to tell if a user is logged on if I have the Session State cookie?
I don't think there's a supported way. You could reverse-engineer the store, but the database format may change with next .NET service pack and youe a'd be screwed then.
The only safe way would be to implement your own session state provider so you could guarantee that the database format doesn't change.
If all you need is to verify that the user is authenticated, it would be probably easier to send the user an encrypted cookie with the username and decrypt it in the PHP app.
I have never tried this but if you provided a simple web service that is part of your asp.net application but only accessable from your PHP site. You should now be able to read anything that is in session via the web serivce.
this is looks tricky, but try reading here. the issue here is know the way in what asp encodes and save the session, if you can read that format, this may help.
another way I'm thinking is to create a request to some "login" page form asp to php, where you send the login credentials and the php file creates the session, but this could be not secure if you leave it open, and also could be slow, since another request is necessary.
on the other hand I saw few sites, where once you are logged in, for example in the main site and you want to go to the forums, you click on some link that submit a form to the php login page (credentials are "harcoded" for that user in that session) and the php page login you like the "regular" behavior.
hope to be clear
Unless you specifically need full access to the entire asp.net session state, you may be better off just storing the particular pieces of information that you know both apps need to share in a shared database or file directly.
That way you can ignore most of the complexities of an asp.net session and just pick and choose the specific pieces data your apps need share with each other.