loosing cookie values in new pages

Dear all,

We are using cookie base access management in our business intranet
portal. We are setting user level cookies at the time of successfull
login in the system, and after login we are checking the cookie 'user
id' and 'page id'; if user has permission of the particular page he/she
is allowed, otherwise throw the access denied message.

For almost all the machines we are not facing problem in this
structure; because cookies can be accessible throughout the domain
pages.

But in some systems, the cookies are getting lost after even successful
login. i.e in newly opened pages we are not able to retrieve the cookie
values thus permitted user is getting fatal error.

I m not able to understand the problem, can anyone explain me the
problem and solution.

Thanks all,
Rushik.

re: loosing cookie values in new pages

First, are you only storing user_id in cookies? This sounds like a
security problem. I'm guessing your user_ids are sequential and thus
easily guessed. Someone could easily create a fake cookie with a
guessed user_id and now have access to your system. You'll want to
create some sort of randomly generated md5 hash which is a lot harder
to guess (almost impossible). Or, you could just use PHPs built in
session handling which does this for you automatically.

Does this problem only happen on specific computers and not on others?
If so, it sounds like the security settings of the web browsers on
those computers are not allowing cookies.

--
Bradley Holt <bradley.holt@gmail.com>
http://www.gtalkprofile.com/profile/2.html

re: loosing cookie values in new pages

Hello,

We have created cookies user_id by using our algorithm, thus that will
not be the problem. The problem is occurring in the particular
machines, but the main problem is;
at the first level link pages we are able to retreive cookie
information but at the second level pages in the same domain cookies
are not accessible.

Actually if the cookies are blocked at browser level then at the first
level link we should not get the cookies. Right?

Thanks.
Rushik.

re: loosing cookie values in new pages

IE6 needs a P3P policy for cookies to work properly:

<?php
header('P3P: CP="CAO PSA OUR"');
?>

Without this header in IE6, cookies will be lost as you described above.

re: loosing cookie values in new pages

Thanks all for replying quickly, but the problem is not frequent,
sometimes it occurs on some machines sometimes not, can you tell me how
to regenerate the cookie problem?

Thanks
Rushik

re: loosing cookie values in new pages

Hello,

we are experiencing the identical problem with an open source
application we have running, but this header did not fix the problem
for us. Does anyone know of a good resource on P3P headers?

re: loosing cookie values in new pages

Alex P wrote:
[color=blue]
> we are experiencing the identical problem with
> an open source application we have running, but
> this header did not fix the problem for us. Does
> anyone know of a good resource on P3P headers?[/color]

The official site for the P3P specification is:
http://www.w3.org/TR/P3P/

A free P3P editor: http://www.alphaworks.ibm.com/tech/p3peditor

A free compact policy generator:
http://www.privacycouncil.com/freep3pfix.php

There are other quirks which can cause cookies to be lost also.

re: loosing cookie values in new pages

What are other possible option? We basically have a user go through a
dozen or more page views and suddently loose their id cookie.

re: loosing cookie values in new pages

Hello,

The above described cookie problem is creating problem for our system.
I want the optional solution for the cookie. In short i want to use
some variables which i can access in all the pages globally just like
cookies.

Is there any other solution ?? I can explain my exact requirement also
if required.

Thanks
Rushik.