By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,968 Members | 1,871 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,968 IT Pros & Developers. It's quick & easy.

Handling sessions through cookies, is it safe?

P: n/a
I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written the
following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?

Jul 16 '06 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Rik
ro********@gmail.com wrote:
I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written
the following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}
Pardon, you let them post their username on every navigation?
Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?
Why not set the time of the last action in the $SESSION?

$timeout = 60 * 60; //60 minutes here, as long or short as you'd like
session_start();
if(!isset($_SESSION['time']) || $_SESSION['time'] + $timeout < time()){
//invalid, we'll destroy all data:
$_SESSION = array();
if (isset($_COOKIE[session_name()])) setcookie(session_name(), '',
time()-42000, '/');
if (isset($_COOKIE['username'])) setcookie('username', '', time()-42000,
'/');
session_destroy();
} else {
//valid, update times:
$_SESSION['time'] = time();
setcookie('username', $username, $_SESSION['time'] + $timeout, '/');
//You'll have to get that $username from somewhere in your actual
validation.
}

Grtz,
--
Rik Wasmus
Jul 17 '06 #2

P: n/a
ro********@gmail.com wrote:
I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written the
following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?
In my opinion, all you should store in a cookie is session-id.
Everything else, you store on server in either global session veriable
or in a database.
Jul 17 '06 #3

P: n/a
On or about 7/16/2006 8:55 PM, it came to pass that s a n j a y wrote:
ro********@gmail.com wrote:
>I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written the
following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?

In my opinion, all you should store in a cookie is session-id.
Everything else, you store on server in either global session veriable
or in a database.
Agreed.
Set a session variable with php time() and do your own timeout.

if (isset($_SESSION['$Server_time']) && (time() -
$_SESSION['$Server_time']) 600)
$_SESSION = array(); //break this session and restart when over 10 minutes
$_SESSION['$Server_time'] = time(); //time in seconds
Jul 17 '06 #4

P: n/a
totalstranger wrote:
On or about 7/16/2006 8:55 PM, it came to pass that s a n j a y wrote:
>ro********@gmail.com wrote:
>>I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written the
following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?

In my opinion, all you should store in a cookie is session-id.
Everything else, you store on server in either global session veriable
or in a database.
Agreed.
Set a session variable with php time() and do your own timeout.

if (isset($_SESSION['$Server_time']) && (time() -
$_SESSION['$Server_time']) 600)
$_SESSION = array(); //break this session and restart when over 10
minutes
$_SESSION['$Server_time'] = time(); //time in seconds
May want to consider adding a few sanity checks for this. Never trust
input from the user.
In your cookie, store two values. The username, and then a md5 of the
username plus a salt. When you read the cookie, compare the md5.

i.e.
$plaintext_cookie_value = $_COOKIE['username'];
$hashed_username_value = md5($_COOKIE['username'] . "some random salt");
if($_COOKIE['usernamehashed'] == $hashed_username_value){
// plaintext is valid
} else {
// Someone changed the username
}

Just make sure to use the same "some random salt" when you set the cookie.

-- Steve
Aug 13 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.