Handling sessions through cookies, is it safe?

ro********@gmail.com wrote:

I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written
the following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Pardon, you let them post their username on every navigation?

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?

Why not set the time of the last action in the $SESSION?

$timeout = 60 * 60; //60 minutes here, as long or short as you'd like
session_start();
if(!isset($_SESSION['time']) || $_SESSION['time'] + $timeout < time()){
//invalid, we'll destroy all data:
$_SESSION = array();
if (isset($_COOKIE[session_name()])) setcookie(session_name(), '',
time()-42000, '/');
if (isset($_COOKIE['username'])) setcookie('username', '', time()-42000,
'/');
session_destroy();
} else {
//valid, update times:
$_SESSION['time'] = time();
setcookie('username', $username, $_SESSION['time'] + $timeout, '/');
//You'll have to get that $username from somewhere in your actual
validation.
}

Grtz,
--
Rik Wasmus

ro********@gmail.com wrote:

I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written the
following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?

In my opinion, all you should store in a cookie is session-id.
Everything else, you store on server in either global session veriable
or in a database.

On or about 7/16/2006 8:55 PM, it came to pass that s a n j a y wrote:

ro********@gmail.com wrote:

>I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written the
following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?

In my opinion, all you should store in a cookie is session-id.
Everything else, you store on server in either global session veriable
or in a database.

Agreed.
Set a session variable with php time() and do your own timeout.

if (isset($_SESSION['$Server_time']) && (time() -
$_SESSION['$Server_time']) 600)
$_SESSION = array(); //break this session and restart when over 10 minutes
$_SESSION['$Server_time'] = time(); //time in seconds

totalstranger wrote:

On or about 7/16/2006 8:55 PM, it came to pass that s a n j a y wrote:

>ro********@gmail.com wrote:

>>I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written the
following code to accomplish this task

/* Extending session */
if(isset($_COOKIE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?

In my opinion, all you should store in a cookie is session-id.
Everything else, you store on server in either global session veriable
or in a database.

Agreed.
Set a session variable with php time() and do your own timeout.

if (isset($_SESSION['$Server_time']) && (time() -
$_SESSION['$Server_time']) 600)
$_SESSION = array(); //break this session and restart when over 10
minutes
$_SESSION['$Server_time'] = time(); //time in seconds

May want to consider adding a few sanity checks for this. Never trust
input from the user.
In your cookie, store two values. The username, and then a md5 of the
username plus a salt. When you read the cookie, compare the md5.

i.e.
$plaintext_cookie_value = $_COOKIE['username'];
$hashed_username_value = md5($_COOKIE['username'] . "some random salt");
if($_COOKIE['usernamehashed'] == $hashed_username_value){
// plaintext is valid
} else {
// Someone changed the username
}

Just make sure to use the same "some random salt" when you set the cookie.

-- Steve