So I know browsers limit the cookie number to something like 200 ...or whatever (the idea is that there is a limit).
I need to mark a site's page as viewed by the current visitor, so I'm setting a cookie viewed=true.
How can I set a cookie only for a certain page? I know it's possible, I've seen sites doing this...
Let's say I have 10.000 pages and a visitors views them all. Would browsers complain if there are like 10.000 cookies set on his computer for each of these pages? Is there a cookie limit for the entire site too (all pages together) ?
better explanation of what I want:
Cookies can be set as global (for the entire site, visible on all pages), or local (for a certain page only).
How can I set a local cookie? For example a cookie that's only accessible from site.com/?page=blablawhatever
Does the cookie number browser limit take in consideration all local cookies too, or just the cookies for the current site page?
I think the ideal way would be to set a user ID cookie and, like the others said, store any information tied to that user in your database.
You can set a session cookie and store the viewed pages on the server.
Instead of using cookies (which is on the user's end).
When a user goes to one of your pages, save to the data base that he/she went there.
Before the database save check of the user was already there before, and if that is true then don't save it to the database.
Related
This might be a silly question but I am learning web development and reached at cookies now. I read about cookies and got the basic understanding of cookies and how to create them and retrieve them. what I do not understand is:
Do we need to create a cookie for each webpage for example in my website i have 5 pages so should i place the cookie only in index page and set the path "/" and it will work for all the pages.
To store the information retrieved via cookie for further analysis should I create a database to store each cookie data.
Do we need to create a cookie for each webpage for example in my
website i have 5 pages so should i place the cookie only in index page
and set the path "/" and it will work for all the pages.
No need to create multiple cookies. You can access same cookie across your webpages, if setting it at root.
To store the information retrieved via cookie for further analysis
should I create a database to store each cookie data.
Why ? It will be stored in user's machine. And why do you want to store it in database. All the user's information will be available in your same database.
The path variable on a cookie simply marks access.
You're assumption about only setting the / is correct if you want that cookie visible throughout all your pages.
If you want to restrict access to that cookie say to an admin page then setting the path to /admin would be fine here.
I'm planning on creating a responsive PHP image, that retrieves just the username of the current logged in user on a small forum. It's just going to help people on the forums see who last viewed the topic.
Using a PHP image, you can gather lots of information, but I need to find out what user is logged in and viewing the page.
I can't access any of the sites cookies, so would like to grab the html source from the page that loaded the image - from a specific part, that would hold the logged in users username.
Is there any way to grab any of the source code from the page that loads the image? I can use file_get_open() on the HTTP_REFERER session variable, but that wouldn't have any of the cookies or session variables.
If the original page is PHP, in the same server and using the same session, then those are of the original page too. But it's not always the case.
Say you got redirected from another website (could check referrer) or from another engine, say the page you came from is within the same server, same domain, but a different engine like .NET then your session wouldn't be the same but the cookies might.
But then again, if like Cake, the Cookies are protected (or mangled) then you will be able to access them, but you won't be able to decipher its content.
Depending on the how the previous page setup the cookies you could even read them if they came from the same domain (i.e. a.domain.org/ble.html -> b.domain.org/image.php). But is not safe to Assume.
See:
http://php.net/manual/en/session.security.php
http://blog.teamtreehouse.com/how-to-create-totally-secure-cookies
Note: Sometimes, you can't even trust HTTP_REFERER and REMOTE_ADDR. They can be spoofed easily.
If you check the manual, you will see that
$_SERVER['HTTP_COOKIE']. It contains the raw value of the 'Cookie' header sent by the user agent
and for $_COOKIE
The value of $_COOKIE is determined by the content of cookies received in the user agent's request.
You can see $_SESSION for the session variable
Building a web application that is 90% API-based, meaning it will be hosted on the client's website (eg clientdomain.com). When API calls are made, we are creating and storing a session ID on the client's domain, and we store all the stats on their activity while a visitor browses their site.
But there's one part of our application that is hosted on our servers, because it has to be secure (eg client.ourdomain.com). Visitors will click a link from the client's website to ours.
What's the best way to somehow tell the application on our domain that this is an active session with session id XXXXXXX? I've thought of a few options:
Check sessions table for IP and timestamp within a certain range. Obviously this would not be a good option because some large groups and organizations use the same IP.
Pass the session ID as a GET variable, downside is these links may be shared or saved for later use.
Pass as POST var using a form button
Use some kind of redirect variable dynamically created that is only good for a small time frame (i.e. 10 or 30 minutes) and then deleted
Am I missing a possible solution?
Our ultimate goal is to track a visitor through goal completion so we can show conversion rate, bounce rate, etc. To do that we absolutely have to match up a visitor from clientdomain.com to client.ourdomain.com.
Thanks in advance!
Your first option is the answer, SessionID + IP = Unique.
User A and User B may have the same IP but their session id is different.
Fifth:
go
redirect-to-secure.php:
header('Location: http://client.ourdomain.com/?clientSession=' . session_id());
On client.ourdomain.com, if you detect clientSession GET param, save it to session and redirect to page without clientSession. This way browser won't remember this url.
On my webpage I'm using a cookie that's set to 1 if they're admin
0 if they're not
so admins can have access to certain features,
how hard would it be for somebody to make a 0 into a 1 in their local cookie if they wanted to?
Cookies live on the client-side, so of course they are editable. Like everything else that comes from the client, cookies cannot be assumed secure, ever. It would be very easy for someone to make themself an admin using your design.
Don't be lazy; store the privileges on the server side and only on the server side.
It's actually pretty easy to edit a cookie. Extensions such as chrome edit this cookie allow for it to be done without even leaving the browser.
I use this for simple things like web tracking on news paper sites that limit the amount of articles you can view. I reset the cookie count and voila, I am able to view more articles.
google edit this cookie if you want to demo it and apply it to your site.
Editing a cookie is easy.
But is this what you really meant?
Session variables are stored on the server and thus cannot be modified by the client. The client only stores an ID that refers to the session.
I am building a website in which the user can select what list items they see in their navigation menu, my idea is to store the menu items that the user selects in a cookie as this will stop the need for the user to be registered member on the website, is it possible to store realtime data in a cookie and how would I do this? For more information the navigation options are built from a mysql result, the then clicks a link and that link is added to a different list, if they click it again it is deleted, I need to add/remove these items from the cookie as the user add/removes it from there list.
i would use the cookie only to identify the user and do all of your menu option saving in MySql.
Grab the user id from the cookie and query the db for the menu_options and display them.
Either way, storing the data in a cookie or in the database, when the cookie expires, so does (effectively) the user. Plus people delete cookies all the time using cleaners like Adware and CCleaner. I do this about once a week. Cookie = Gone.
This is a bad idea.
The number of cookies a browser can store is not defined (however there is a hard limit for most browsers). RFC 2109 suggests at least 20 cookies per host and a min cookie size of 4k. Certainly the latter is adhered to by most browsers.
You're also going to have to replicate all the features of session management without the nicety of having server-side state. You do not want the kind of pain going down this route will cause you. Keep your session data server-side.
There is no requirement for a user to 'log-in' to have a session. You just need to assign them an automatic identity in a persistent cookie (the replace that if they ever do sign in). And map the session back to a more long term storage when the user changes the config.
C.