I'm new to the cookie. But I think I might have done some wrong with my PHP code. During login process I have a verify login script that verifies the user. And if the user passes it the script will automatically set a cookie, setcookie("userid", $row["profileId"], time() + 24*3600*14); and the script also redirects the user to the main page with header("Location: ../../index.php"); As I'm looking on the network tab in Google Chrome's developer tools, I can see the cookie just for the verify script, both request cookie and response cookie. But why can't see this on all other AJAX request? I can't retrieve the cookies at all, what have I done wrong? I know I have made some common pitfall
The only Cookie I can retrieve is the session cookie. I need the retrieve the cookie using $_COOKIE in php. I'm using localhost as the domain
Cookies are fully automatic. You don't need to grab them in js to send them. The ajax call with automatically send them in the request, you can even set more with the response. But you must be on the same domain for any of this to work. Cross domain cookies are disabled for security.
cookies are client side, http://plugins.jquery.com/project/Cookie
Related
I am working on a site that involves logging in through discord, which uses oauth2. I believe the login is controlled by the phpsessid cookie, from what i can tell. My problem is this cookie resets when the browser is closed, meaning whenever the browser closes, the user has to log back in.
I was wondering if there was a way to keep the session running even after closing the browser, or maybe a different method to keep the user logged in? I found the PHP function session_set_cookie_params() that could be useful, but I'm not sure how I can use this in my situation.
In order to store data even if you close the browser, you need to use cookies. With PHP, you need to use the setcookie() method.
Default example:
<?php
setcookie('yourCookieName', "yourCookieValue");
?>
Another example:
<?php
setcookie('yourCookieName', "yourCookieValue", time() + 365*24*3600, '/', '.yourdomain.com');
?>
I have added some parameters as time and a way to keep the cookie for all the website subdomains.
And then, if you can get the cookie with $_COOKIE['yourCookieName'].
You can try to use javascript to acces that cookie and then save it as a new cookie on your website,and then load it when the user connects.Look on w3school javascript cookies
Are cookies necessary to create a login page with php (that keeps you logged in across several pages), or could a session variable do the trick without use of cookies?
Answer simply is yes.
Sessions rely on a session id.
Sessions in php use a cookie to store this id, but you can change it to append the id to each url instead of saving it in cookies.
ini_set('session.use_cookies', false);
in the config variable url_rewriter.tags, you see which URLs automatically get rewritten to append this id:
"a=href,area=href,frame=src,form=,fieldset="
As Pekka mentions, jQuery requests and special JS/Ajax/jQuery calls are not getting rewritten by default and you have to append the id manually like:
<script>
$.get('/yourpage/?PHPSESSID=<?php echo session_id(); ?>');
</script>
the session name can be obtained via session_name();, default is in the config variable: session.name.
Use ini_get(); or phpinfo(); to see your configuration.
Actually if you are using sessions you can use a cookie or a special GET/POST fields to identify yourself towards the server. The server then using the user id, passed either by GET/POST or a cookie - knows which data set is connected to the current user/client at server side. This way using sessions you can store data at server side with only sending a special user id to the client.
This way you can save login data for each user, thus login functionality can be implemented using sessions in PHP.
And yes, you can solve login with no other cookie just the Session user ID, or use the POST/GET session id.
Typically sessions are more reliable when working with keeping a user logged in. Sessions are stored on the server, whereas cookies are stored client sided. So that falls down to: do you want your login dependent on something the client can control and manipulate?
I've had first hand issues with logins being hacked with cookies, so I suggest sessions.
No, you do not need cookies in order to set up a login system, sessions suffice. However, if you seek a "Remember me" option, you need cookies in order to keep the user logged in beyond the point when the user closes the browser or the session expires.
http://www.php.net/manual/en/features.sessions.php
For maintaining a session with server, you need to identify yourself (your page) to server. So that server can keep track of your page's subsequent request and maintain a session.
So, if you only have username and password option on your login page, then cookies may not be required. Refer to the following link:
Passing the Session ID from page to Server
You can have a special URL which will have identifier as part of URL, which will inform server about your subsequent request.
However, please note that using this type of special URL is not always the recommended approach. Because this is insecure than cookie based session. For example, someone may paste their own link on a chat or in an email, and other person will be entered to your site without username/password.
You can do authentication without cookies (or sessions which are a special case of cookies) but it won't be on a page. This method is called HTTP Authentication.
I have a weird problem. I have a web page, that on the main page sets a session variable for each user that visits, and then on the next pages if the session variable is set, some stuff is shown, and some other isn't. The variable i'm setting is just an "1".
$_SESSION['user_id'] = $user_id;
Everything is simple, everything is working great, but I have this one user, that the server doesn't save the session variable for. Just one guy as far as I know. What can be causing this behaviour? He is using a mac if that matters, but on other macs the website works great.
Thanks.
When you call session_start() PHP sets a cookie with just the PHPSESSID variable set. This variable is used to identify the client browser with the session data on the server. If your user has disabled cookies, then it is not possible to use sessions without passing PHPSESSID back and forth in every request via GET or POST.
HTTP is a stateless protocol. IF session would be only in server side, how could it be able to distinguish between users?
[HTTP is a stateless protocol means: HTTP requests are responded from the server, and it forgets who sent the request, where did that come from.]
This is why cookies are storing the session ids.
In other words, if a user is disabling the cookies, he is not allowing PHP to set the session for himself. This is the reason behind.
I have a class that has a function, lets say class.php:
class fun {
public function get_cookie() {
$old_cookie = $_COOKIE['mycookie'];
}
public function ssl() {
//redirect from http to https
}
In another php file, lets say index.php:
//include fun class
$fun = new fun;
$fun->ssl();
$fun->get_cookie();
My question is since the function get_cookie is after $fun->ssl() does the user send the cookie encrypted? or since the cookie code is coded before the $fun->ssl() is executed, the cookie gets sent unencrypted?
Never send anything via cookies which requires encryption.
Regardless of the answer to the actual question posed here, the contents of your cookies should be considered to be publically accessible and insecure.
Firstly, the entire set of cookies for the site is sent (in both directions) with every single web request. So even if you successfully encrypted them with SSL in this particular request, the user would only need to make a plain HTTP request for an image on your site, and he'd transmit them and get them sent back unencrypted.
Secondly, it is not unheard of for cookies to leak between sites. Many cross-site scripting hacks exist which can allow third-parties to get hold of your user's cookies. These would not be stored encrypted on the user's machine, even if they were sent via SSL.
So I'll repeat my initial statement again: never send anything via cookies which you need to keep secure.
The Wikipedia article has a very nice explanation of how cookies work. Basically, cookies are sent along with the request header. So unless the connection is being made via HTTPS then the cookie is being sent in the clear.
The cookie is sent before your code is running. PHP reads the header, fills the global variable $_COOKIE[] and then executes your code. So if somebody makes a request with HTTP, he will get the cookie unencrypted.
When you create the cookie, you can define, that the cookie is only sent to pages requested with HTTPS. You do this with the functions session_set_cookie_params() or setcookie() with the $secure parameter. Such cookies won't be sent, if a page is requested with HTTP.
Basically I have a form in my android app that lets the user enter his/her username and password and then this is POSTED to a very simple login page made in PHP online. I then need to access a second pae which pulls down data from an xml file - in order to access this page the user must be logged in. The xml page that the user sees is dependent of their username.
On my login page I have
session_start();
session_register("username");
At the beginning of each page that checks login I have
<?php
session_start();
?>
and to check if the user is logged in I use a simple if statement
if(!session_is_registered("username")){?>
display whatever
else bla
How can I make this work in my android application? I am unable to go to the xml page after I have logged in because it does not recognise me as being logged in.
Firstly, perform the login using a web browser to ensure it works ok. Then do the same thing again, and use something like Live Http Headers or Charles Proxy to examine the request and response headers. I imagine there will be some kind of session cookie passed back and forth after a successful login. You would need to read the cookie from the response of a successful login and send it back with the request for your XML page.
EDIT
There is a simple example of performing a post with a cookie using HttpClient and another using HttpsUrlConnection in my question and answer in this thread.
If it's a single retrieval, why bother with sessions? Have the website serve the XML file as direct response to the request with the user credentials by the application.
If you need to use sessions for some reason, you need to search the reply to the POST request for the session id and deliver the session id with your request for the XML data. The session id is likely in the cookies, it can also be in the hyperlinks of the page (depends on how you setup your login).
PHP sessions are implemented with cookies. Whenever you call session_start(), the response includes a Set-Cookie header which sets a browser cookie containing the PHP session ID. By default (and unless you have renamed the cookie with the session.name PHP configuration option), the name of the cookie is PHPSESSID.
After logging the user in, subsequent requests need to be issued with a Cookie header containing the session ID. Before submitting each request, simply make sure that you re-use the CookieStore object that you used to log the user in (call AbstractHttpClient#setCookieStore on any new HttpClient instance).
Essentially, you need to programmatically perform a post using the httpclient libs in Android, pull the session cookie from the response (set-cookie headeR), and make sure to include that cookie in any subsequent requests to the server.
You can Google for how to use httpclient to do a post, like this. Here's an example of inserting a cookie into a request using httpclient. I'll let you read some javadocs / find some more examples to put it together.