Jump to content



Photo

Session Cookie Expiration Behaviour

sessions cookies

  • Please log in to reply
8 replies to this topic

#1 Necuima

Necuima

    Advanced Member

  • Members
  • PipPipPip
  • 255 posts
  • LocationSunshine Coast, Queensland, Australia

Posted 22 April 2017 - 1:30 AM

Hi Larry,

 

Haven't been on the forum in a while, but hello from Oz.  I have been more 'knee-deep' into jQuery lately.

 

On pages 360... you describe setting the lifetime of a session cookie.

 

Is it correct that when the cookie 'dies' that the session data are no longer in existence or accessible?

 

Also, is the 'session_set_cookie_params' needed on every script that uses the session?

 

Thanks in anticipation for your advice.

 

Cheers 


  • 0

#2 Larry

Larry

    Administrator/Writer

  • Administrators
  • 4766 posts
  • LocationState College, PA (USA)

Posted 24 April 2017 - 9:41 AM

Hey! Hope you're doing well. There are two sides to sessions: the session identifier and the session data. The session identifier is stored in the browser and the session data is stored on the server. They can exist independently of each other--you can not have one but still have the other--but you need both to successfully use a session. So when the cookie dies, that's in the browser and it doesn't affect the session data, however there would be no way to get that session data. It's also possible for the server to clean up the session data but for the cookie to still exist (and therefore have no session data).

 

Yes, you'll want to use session_set_cookie_params() on any page that uses session_start() as session_start() may attempt to refresh a cookie. 


  • 0

#3 Necuima

Necuima

    Advanced Member

  • Members
  • PipPipPip
  • 255 posts
  • LocationSunshine Coast, Queensland, Australia

Posted 25 April 2017 - 6:38 PM

Hi Larry,

 

Thanks for the advice.

 

As you can probably guess, the background to the question is as follows:

 

. I have a website which has both a public area and also a member's area.

. member's sometimes forget to log out of the member's area when they are finished.

. But, if I understand your advice correctly, even if they forget to log out, another person on a different computer could not use that session data as they won't have the corresponding cookie on their PC - is that correct?

 

The website in question also has an administration area.  I have added your 'session agent' advice (pages 368...) as I don't want any malicious person messing around in that admin area!

 

Thanks again for your advice and I hope and trust that you and your family are A-OK.

 

Best wishes from Oz. 


Edited by Necuima, 25 April 2017 - 6:39 PM.

  • 0

#4 Larry

Larry

    Administrator/Writer

  • Administrators
  • 4766 posts
  • LocationState College, PA (USA)

Posted 27 April 2017 - 10:28 PM

Well...it's complicated. If someone logs in from a public computer and doesn't log out, that cookie would exist in the browser and be viewable for some time. A hacker could look at the cookie in the browser's settings, copy the information, then create a new cookie on a new computer and effectively begin using that same session. 

 

Depending upon the importance of the information in the site, you'll want to adjust your parameters accordingly: short cookie lifetimes, short session lifetimes, require re-authentication to perform certain tasks, and so forth.

 

We're getting by here. Hope you are, too!


  • 0

#5 Necuima

Necuima

    Advanced Member

  • Members
  • PipPipPip
  • 255 posts
  • LocationSunshine Coast, Queensland, Australia

Posted 28 April 2017 - 2:05 AM

Thank you again for the advice.

 

Yes, we're getting by here too - thankfully still in remission!

 

I am going to try and set the lifetime of the member area cookie as well as the lifetime of the associated session.  It is best to use 'ini_set's or the session_set_cookie_params as per page 361.  Is there a 'session_set...' PHP function for the session maxlifetime? If 'ini-set's, do they come before the session-start()?

 

For the admin area I'm not so concerned as I'm the only one with a password (SHA encrypted) to get in there and I always logout which destroys the session and its associated cookie as per your guidance in the book.  Or am I under a security mis-apprehension?

 

Cheers.


  • 0

#6 Necuima

Necuima

    Advanced Member

  • Members
  • PipPipPip
  • 255 posts
  • LocationSunshine Coast, Queensland, Australia

Posted 1 May 2017 - 6:14 PM

Also, there are no financial data in the website but it has been mischievously hacked twice - current/old version now protected by sucuri.net but I'm trying to avoid the need for that type of protection in the re-write that I'm doing. My questions above relate to the re-write. The website is www.sunshinecoasthog.com.au - currently the old version is in production but the re-write will have similar functionality but is architected as per your guidance in "PHP Advanced".


  • 0

#7 Necuima

Necuima

    Advanced Member

  • Members
  • PipPipPip
  • 255 posts
  • LocationSunshine Coast, Queensland, Australia

Posted 4 May 2017 - 7:14 AM

Hi Larry,

 

Looking forward to your advice re the ini-sets and cookie and session parameters.

 

Thanks


  • 0

#8 Larry

Larry

    Administrator/Writer

  • Administrators
  • 4766 posts
  • LocationState College, PA (USA)

Posted 8 May 2017 - 10:55 PM

I would use session_set_cookie_params() in a included file that handles all your cookies stuff (i.e., every page that uses cookies would include that). 

 

Let me know if you have any other questions!


  • 0

#9 Necuima

Necuima

    Advanced Member

  • Members
  • PipPipPip
  • 255 posts
  • LocationSunshine Coast, Queensland, Australia

Posted 10 May 2017 - 1:34 AM

Thanks, Larry.

 

Cheers from Oz.


  • 0