Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi Larry,

 

Haven't been on the forum in a while, but hello from Oz.  I have been more 'knee-deep' into jQuery lately.

 

On pages 360... you describe setting the lifetime of a session cookie.

 

Is it correct that when the cookie 'dies' that the session data are no longer in existence or accessible?

 

Also, is the 'session_set_cookie_params' needed on every script that uses the session?

 

Thanks in anticipation for your advice.

 

Cheers 

Link to comment
Share on other sites

Hey! Hope you're doing well. There are two sides to sessions: the session identifier and the session data. The session identifier is stored in the browser and the session data is stored on the server. They can exist independently of each other--you can not have one but still have the other--but you need both to successfully use a session. So when the cookie dies, that's in the browser and it doesn't affect the session data, however there would be no way to get that session data. It's also possible for the server to clean up the session data but for the cookie to still exist (and therefore have no session data).

 

Yes, you'll want to use session_set_cookie_params() on any page that uses session_start() as session_start() may attempt to refresh a cookie. 

Link to comment
Share on other sites

Hi Larry,

 

Thanks for the advice.

 

As you can probably guess, the background to the question is as follows:

 

. I have a website which has both a public area and also a member's area.

. member's sometimes forget to log out of the member's area when they are finished.

. But, if I understand your advice correctly, even if they forget to log out, another person on a different computer could not use that session data as they won't have the corresponding cookie on their PC - is that correct?

 

The website in question also has an administration area.  I have added your 'session agent' advice (pages 368...) as I don't want any malicious person messing around in that admin area!

 

Thanks again for your advice and I hope and trust that you and your family are A-OK.

 

Best wishes from Oz. 

Edited by Necuima
Link to comment
Share on other sites

Well...it's complicated. If someone logs in from a public computer and doesn't log out, that cookie would exist in the browser and be viewable for some time. A hacker could look at the cookie in the browser's settings, copy the information, then create a new cookie on a new computer and effectively begin using that same session. 

 

Depending upon the importance of the information in the site, you'll want to adjust your parameters accordingly: short cookie lifetimes, short session lifetimes, require re-authentication to perform certain tasks, and so forth.

 

We're getting by here. Hope you are, too!

Link to comment
Share on other sites

Thank you again for the advice.

 

Yes, we're getting by here too - thankfully still in remission!

 

I am going to try and set the lifetime of the member area cookie as well as the lifetime of the associated session.  It is best to use 'ini_set's or the session_set_cookie_params as per page 361.  Is there a 'session_set...' PHP function for the session maxlifetime? If 'ini-set's, do they come before the session-start()?

 

For the admin area I'm not so concerned as I'm the only one with a password (SHA encrypted) to get in there and I always logout which destroys the session and its associated cookie as per your guidance in the book.  Or am I under a security mis-apprehension?

 

Cheers.

Link to comment
Share on other sites

Also, there are no financial data in the website but it has been mischievously hacked twice - current/old version now protected by sucuri.net but I'm trying to avoid the need for that type of protection in the re-write that I'm doing. My questions above relate to the re-write. The website is www.sunshinecoasthog.com.au - currently the old version is in production but the re-write will have similar functionality but is architected as per your guidance in "PHP Advanced".

Link to comment
Share on other sites

I would use session_set_cookie_params() in a included file that handles all your cookies stuff (i.e., every page that uses cookies would include that). 

 

Let me know if you have any other questions!

Link to comment
Share on other sites

 Share

×
×
  • Create New...