PDA

View Full Version : Stopping php cookie editing



keyboard
06-29-2011, 10:11 AM
Hi everyone,
I have been playing around with php and in particular cookies. I am using a cookie to remember a name of a visitor. The first code is

if(isset($_COOKIE['lastVisit']))
header('location: indexthesecond.php');
else
$visit = $_COOKIE['lastVisit'];
?>

and the second is

<?php
if(isset($_COOKIE['lastVisit']))
$visit = $_COOKIE['lastVisit'];
else
header('location: indexthesecond.php');
?>


Is there any way to stop someone putting a code such as this
javascript:void(document.cookie="lastVisit=name");

and changing the cookie.

Thanks for any help

bluewalrus
06-29-2011, 01:20 PM
Cookies are stored client side so there is no way to control the content of them. You could use SESSIONs though, http://www.php.net/manual/en/intro.session.php

traq
06-29-2011, 03:59 PM
Hi everyone,
I have been playing around with php and in particular cookies. I am using a cookie to remember a name of a visitor. [...]
Is there any way to stop someone putting a code such as this
javascript:void(document.cookie="lastVisit=name");

and changing the cookie.

Thanks for any help

why should you care if they give you a different name?

if there's more to this (i.e., some sort of security precaution?) then you'd need to rethink how you're doing it anyway.

Keep a copy of whatever value you give them (either via a database, or by using sessions like bluewalrus suggested). That way, you can verify not only that they have the cookie, but that it matches your records.




if(isset($_COOKIE['lastVisit'])){
header('location: indexthesecond.php');
}else{
$visit = $_COOKIE['lastVisit'];
}

if(isset($_COOKIE['lastVisit'])){
$visit = $_COOKIE['lastVisit'];
}else{
header('location: indexthesecond.php');
}
Also, I don't understand why you're doing the same thing, twice, but in reverse order. If these two statements are on the same page, then either the user has the cookie and is redirected (the second block never runs), or they don't and you get an error by trying to set $visit to a non-existent value (and then, they're sent to the same page as if they _did_ have the cookie). If these statements are on different pages, then you might just be setting up for an unending loop.

Can you explain what you're trying to accomplish in more detail?

keyboard
06-29-2011, 10:00 PM
The two codes are on different pages. If you don't have the cookie then you are redirected to the first page. Also, I know that you probably wouldn't care about them change their name, but this is an example.
I think I might have a go at a session. I've heard of them and seen the basics but I don't really understand it.

Thanks

djr33
06-29-2011, 11:20 PM
Sessions are actually very easy, at least considering how powerful they are. I think they're easier than using cookies.

They work like this:
1. Use <?php session_start(); ?> on EVERY page, AT THE TOP! (It must go before ANY KIND of output including line breaks or spaces, so just start your page with that.)
2. Now you can use the $_SESSION array. $_SESSION['myvar'] for example will be available just like any other variable. But then you can use it on any other page too. It just shares that array through all of the pages.


There are some ways it can get complicated, but that's the simple answer. Note that you will have to change your configuration if you intend to share the session across subdomains (www and not-www included). Actually, session is based on a cookie so you do end up running into some of the same problems, but that's ok because you don't usually have to configure it manually. It should just work using the two steps above.


Play with that for a while and see if it works. I think it will help. There is a lot more information if you search for it, but that should be enough to start.


Also, sessions are basically secure. No session data can be edited (or even seen) by the user, unless you specifically allow this. The only possible security hole is someone stealing a session ID and effectively gaining access to another user's session-- this can create problems. But it's not that bad if the risk isn't high. If you're ever doing anything where this is very important (such as online banking) then look very carefully into security. The same is true for user accounts on a forum where unique accounts are important.

traq
06-30-2011, 03:19 AM
The two codes are on different pages. If you don't have the cookie then you are redirected to the first page.

This will still give you problems-- I was looking at it for a while and I figured out what was bothering me:
if(isset($_COOKIE['lastVisit'])){
// if user has the cookie,
header('location: indexthesecond.php');
// he gets redirected.
}else{
// if user does _not_ have the cookie,
$visit = $_COOKIE['lastVisit'];
// you try to set the variable $visit --to the value of the cookie.--
// this code will _never_ run if the cookie exists,
// so it will _always_ generate a warning.
// like "NOTICE - undefined variable: lastVisit ..."
}

I realize it's "just an example," but realize that if you don't understand something very well, it's difficult to create a useful example. It's usually much better to simply explain what you really want to do. :D

keyboard
06-30-2011, 03:44 AM
There is no real code. I made this cookie code simply to experiment with cookies. Also, thankyou for pointing out the error. Is there any way to change the else tag on the cookie that was wrong to do nothing.


If the cookie is set it redirects them to indexthesecond.php but if it isn't set then just leave it, and do nothing. Thanks for your help