Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi Larry,

 

Haven't been on the forum in a while, but hello from Oz.  I have been more 'knee-deep' into jQuery lately.

 

On pages 360... you describe setting the lifetime of a session cookie.

 

Is it correct that when the cookie 'dies' that the session data are no longer in existence or accessible?

 

Also, is the 'session_set_cookie_params' needed on every script that uses the session?

 

Thanks in anticipation for your advice.

 

Cheers 

Share this post


Link to post
Share on other sites

Hey! Hope you're doing well. There are two sides to sessions: the session identifier and the session data. The session identifier is stored in the browser and the session data is stored on the server. They can exist independently of each other--you can not have one but still have the other--but you need both to successfully use a session. So when the cookie dies, that's in the browser and it doesn't affect the session data, however there would be no way to get that session data. It's also possible for the server to clean up the session data but for the cookie to still exist (and therefore have no session data).

 

Yes, you'll want to use session_set_cookie_params() on any page that uses session_start() as session_start() may attempt to refresh a cookie. 

Share this post


Link to post
Share on other sites

Hi Larry,

 

Thanks for the advice.

 

As you can probably guess, the background to the question is as follows:

 

. I have a website which has both a public area and also a member's area.

. member's sometimes forget to log out of the member's area when they are finished.

. But, if I understand your advice correctly, even if they forget to log out, another person on a different computer could not use that session data as they won't have the corresponding cookie on their PC - is that correct?

 

The website in question also has an administration area.  I have added your 'session agent' advice (pages 368...) as I don't want any malicious person messing around in that admin area!

 

Thanks again for your advice and I hope and trust that you and your family are A-OK.

 

Best wishes from Oz. 

Edited by Necuima

Share this post


Link to post
Share on other sites

Well...it's complicated. If someone logs in from a public computer and doesn't log out, that cookie would exist in the browser and be viewable for some time. A hacker could look at the cookie in the browser's settings, copy the information, then create a new cookie on a new computer and effectively begin using that same session. 

 

Depending upon the importance of the information in the site, you'll want to adjust your parameters accordingly: short cookie lifetimes, short session lifetimes, require re-authentication to perform certain tasks, and so forth.

 

We're getting by here. Hope you are, too!

Share this post


Link to post
Share on other sites

Thank you again for the advice.

 

Yes, we're getting by here too - thankfully still in remission!

 

I am going to try and set the lifetime of the member area cookie as well as the lifetime of the associated session.  It is best to use 'ini_set's or the session_set_cookie_params as per page 361.  Is there a 'session_set...' PHP function for the session maxlifetime? If 'ini-set's, do they come before the session-start()?

 

For the admin area I'm not so concerned as I'm the only one with a password (SHA encrypted) to get in there and I always logout which destroys the session and its associated cookie as per your guidance in the book.  Or am I under a security mis-apprehension?

 

Cheers.

Share this post


Link to post
Share on other sites

Also, there are no financial data in the website but it has been mischievously hacked twice - current/old version now protected by sucuri.net but I'm trying to avoid the need for that type of protection in the re-write that I'm doing. My questions above relate to the re-write. The website is www.sunshinecoasthog.com.au - currently the old version is in production but the re-write will have similar functionality but is architected as per your guidance in "PHP Advanced".

Share this post


Link to post
Share on other sites

I would use session_set_cookie_params() in a included file that handles all your cookies stuff (i.e., every page that uses cookies would include that). 

 

Let me know if you have any other questions!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×