I have a strange problem to clear Cookie via PHP.
Lets say if I have a domain neobie.net
I store "remember user login" cookie name as "USER_INFO" which contains string to identify user login in the next time of revisit.
now using firefox, I saw that I have 2 cookies USER_INFO with domain "www.neobie.net" and ".neobie.net" with expiration date of 1 week later.
I wrote a logout.php script, which clear the cookie of different domain (.neobie.net, www.neobie.net, neobie.net) to ensure that USER_INFO cookie is completely cleared for different domain.
Now is the problem.
The user isn't able to clear the cookie when user visit logout.php
I found out that, I have to manually delete the cookie with domain "www.neobie.net", leaving the ".neobie.net " intact, then only the cookie can be cleared.
So, I have to make the php script to setcookie USER_INFO on ".neobie.net", and prevent it to set cookie on "www.neobie.net" to make the logout.php script work.
But I don't understand why I couldn't clear the cookie for "www.neobie.net" (with leading www. , tested on firefox and chrome)
You have overlapping cookie domains. www.neobie.net will receive cookies set on the .neobie.net. So there is no need to set the same cookie on both domains.
If your logout URL starts with http://www.neobie.net, you should be able to clear cookies on www.neobie.net domain. A HTTP header trace will help.
Related
I have many doubts on cookies and session
1) can anyone explain me work flow of cookies and session together(example if I visit any site and then login by my email and password then how cookies and session work together)
2) if cookies is set for 5 minutes and session is set for 10 minutes what will happen
3) how flow will work if cookies is disabled in my computer.
There are many questions which cover your doubts already, I'll link some below. I'll answer your specific questions first:
1) When you visit a website for the first time, actually when you do a session_start() on the PHP side, a new session ID is generated (a random string) and sent to the browser as cookie, usually with the name PHPSESSID, so next time you visit the site the same data is loaded back from the session file (which is stored somewhere on the server)
2) If cookie expires before the session the browser won't send the PHPSESSID value, thus a new session ID is generated. It is usually advisable to use an expire time for cookies way longer. When you expire a cookie, you rely on the client's browser to honor your disposition, but to be safe you must expire the session server side.
3) Sessions won't work, every time the client requests a page a new session cookie will be generated
Some more information:
cookies vs session
Cache VS Session VS cookies?
What is the difference between a Session and a Cookie?
So I'm trying to keep my users logged in with cookies. When the user closes the browser and reopens it, it relogs them in, which is great.
The problem is that when the user quits a browser or restarts their computer, the cookie is lost.
How can I keep the cookie from being lost? Or am I going about this the wrong way.
P.S. I've made sure that the cookie is randomly generated, salted and hashed.
There are two types of cookies:
Session cookies - these are temporary cookie files, which are erased when you close your browser. When you restart your browser and go back to the site that created the cookie, the website will not recognize you. You will have to log back in (if login is required) or select your preferences/themes again if the site uses these features. A new session cookie will be generated, which will store your browsing information and will be active until you leave the site and close your browser.
Persistent cookies – these files stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period contained within the persistent cookie's file .
To make a cookie persistent, use for example
setcookie( "cookieName2", $value2, strtotime( '+365 days' ) );
for more information , click here
I've changed my session ID cookie domain so my sessions can be used on subdomains as per Allow php sessions to carry over to subdomains.
However now my users can't login. I think the old cookie is still being sent and read by my PHP session_start().
Should I try and remove the old cookie? Or is something else going on here?
Also, it would be good if a solution didn't require me to rename my session id cookie.
I use OAuth to authenticate at an external website. Everything is okay but the session variable misses after redirecting from external websites.
Summary:
I store a session var in my website then go to login page of other website. After logging in and confirming, it redirects to my callback, when I check the previous session var, it misses! How to fix it?
I tried to call session_start() everywhere I use session but it doesn't work. Of course I enabled session in "php.ini" and enabled cookie in browser. :) I debugged but can't find the reason out.
Update:
After storing my session var, I do a request like this:
http://mixi.jp/connect_authorize.pl?oauth_callback=http%3A%2F%2Fmypage.com%2Fcallback.php&oauth_token=fjdklsfjlksd
Note the oauth_callback, it is the redirect URL. I don't know what mixi.jp use to redirect.
Make sure your site's domain is 100% identical before and after the redirection.
Note that
www.yoursite.com
and
yoursite.com
are two different sites cookie-wise.
The session id is stored in a cookie. The cookie is send in every page of the domain you registered in. Whe you jump to another domain, your cookie with the session id is not send. You must pass the session id to your new domain and then create a new cookie in this domain with the session id.
header('Location:redirect.php?session=' . session_id());
And then in the redirected page restore the session
<?php
session_id($_GET['session']);
session_start();
Im trying to set a cookie, then redirect to a new URL and access( or check if the cookie is set) the set cookie, but it doesn't seem to be available in the new URL.
<?php
header("Location: http://www.facebook.com/pages/tabappURL");
setcookie('coupon', true, time() + 120); //hold for 2 min, time in seconds
?>
Any ideas?
Also, let me explain what is, or why Im trying to do this. I have a Facebook tab app, which is an iframe... A user likes the page, then is presented with a contest entry form (powered by Wufoo). Once the user submits the form, wufoo redirects to a thank you page... though, it refreshes and takes you away from Facebook. This wasnt the ideal situation since we want the thank you page to reside within the iframe. I had no control of targeting the iframe on wufoos end so the work around would be to redirect to another page on my server (same server that is hosting the content in the iframe) set a cookie, then redirect back to the FB app page. Then the FB app checks if the cookie is set, then displays the thank you message.
Technically this is two pages:
index.php (which has)
<div class="not-liked">please like us</div>
<div class="liked">enter contest</div>
<div class="thanks">thank you</div> <!-- hidden until page refresh and cookie set -->
redirect.php (which has the cookie/redirect code above)
Cookies are typically only accessible within a specified domain.
From the PHP documentation:
domain: The domain that the cookie is available to. To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'. Although some browsers will accept cookies without the initial ., » RFC 2109 requires it to be included. Setting the domain to 'www.example.com' or '.www.example.com' will make the cookie only available in the www subdomain.
Check your browser settings to see if you have enabled third-party cookies. In some browsers, if they are disabled a page inside an iframe will not receive cookies even if they belong to the same domain.
Did you call session_start()? That will get PHP to check the request headers for the session cookie.