Where are Cookies physically stored??

doubledee · December 30, 2011

Where does PHP physically write my Session Cookies?

I am having a hell of a time clearing out/deleting my Session Cookie, and finding out where it physically resides on my laptop would be very helpful.

I am on a MacBook using MAMP and FireFox.

Any ideas?

Thanks,

Debbie

kicken · December 30, 2011

Where does PHP physically write my Session Cookies?

Nowhere. Your browser is the one that handles the actual storage of the cookie data. Where it stores it depends on the browser in use. I believe firefox stores them in a SQLite database somewhere in the profile folder.

If you want to remove the cookies, just use the browser's tools for that. Either to clear all cookies or a cookie manager that will let you single out specific ones for removal. In firefox you go to Options->Privacy and click the 'remove individual cookies' link.

gizmola · December 30, 2011

To add to what kicken stated, a cookie is the responsibility of the browser. PHP simply issues a request to the browser for it to save a cookie. Whether it does or not is up to the browser. So called "session cookies" are not saved by the browser as seperate files because they will not persist beyond the lifetime of the browser. This should help you figure out where your cookie files might be for firefox: http://kb.mozillazine.org/Profile_folder_-_Firefox

You might also try the web developer plugin that ostensibly has some cookie management features.

Not to be confused with a session cookie is the php "session id" cookie that links requests to php sessions. That typically has the name PHPSESSID unless you change it. Most everything about the way php sessions work can be tweaked or reconfigured in some way including the name of the session id variable.

The Little Guy · December 30, 2011

Look in your php.ini file, you should see something that looks like this:

session.save_path = "c:/wamp/tmp"

Note: your location will obviously be different than mine

doubledee · December 30, 2011

Where does PHP physically write my Session Cookies?

Nowhere. Your browser is the one that handles the actual storage of the cookie data. Where it stores it depends on the browser in use. I believe firefox stores them in a SQLite database somewhere in the profile folder.

Yeah, it looks like FireFox stores them in this directory...

Library/Firefox/Profiles/xxxxx.default/

and in these files...

cookies.sqlite
cookies.sqlite-shm
cookies.sqlite-wal

If you want to remove the cookies, just use the browser's tools for that. Either to clear all cookies or a cookie manager that will let you single out specific ones for removal. In firefox you go to Options->Privacy and click the 'remove individual cookies' link.

Well, let me step back and explain my larger issue...

I just built my first ever Member Account System which includes: Creating an Account, Logging In, Logging Out, Changing Password and Resetting Password.

When I am logged in to my website - which uses a Session - and then I log out, I can still see a Session Cookie and the PHPSESSID value in said cookie in FireFox. (This is obviously concerning to me!!)

I *thought* my Log Out script was written properly, but it doesn't seem to be working?! :shrug:

Here it is...

<?php //Build Date: 2011-12-29

// Initialize a session.
session_start();

// Access Constants
require_once('../config/config.inc.php');

// Log Out User.
$_SESSION['loggedIn'] = FALSE;

// Set Where to Return.
if (isset($_SESSION['returnToPage'])){
	$returnToPage = $_SESSION['returnToPage'];
}else{
	$returnToPage = "index.php";
}

// Destroy Former Session.
session_unset();
session_destroy();
$_SESSION = array();

// Erase Session Cookie Contents.
setcookie("PHPSESSID", "", time() - 3600);

// Redirect User.
header("Location: " . BASE_URL . $returnToPage);

// End script.
exit();
?>

Here is what is happening...

1.) I just erased the Session Cookie in FireFox like you described above

2.) I just launched "log_in.php"

3.) In FireFox, I see...

Site: local.debbie
Cookie Name: PHPSESSID
Contents: 4d50decfdfca1f3b7f3eb4f826d6a1c3

4.) I log in

5.) Am logged in

6.) I go into FireFox's Web Developer Toolbar and see the same info described above so the cookie is still there

7.) I click "Log Out" and run "log_out.php" above

8.) In FireFox, I still see...

Site: local.debbie
Cookie Name: PHPSESSID
Contents: 4d50decfdfca1f3b7f3eb4f826d6a1c3

9.) If I quit FireFox and come back in and look at FireFox's cookies I will still see...

Site: local.debbie
Cookie Name: PHPSESSID
Contents: 4d50decfdfca1f3b7f3eb4f826d6a1c3

This is driving me nuts, and I fear I have a security issue here?!

Debbie

doubledee · December 30, 2011

To add to what kicken stated, a cookie is the responsibility of the browser. PHP simply issues a request to the browser for it to save a cookie. Whether it does or not is up to the browser. So called "session cookies" are not saved by the browser as seperate files because they will not persist beyond the lifetime of the browser. This should help you figure out where your cookie files might be for firefox: http://kb.mozillazine.org/Profile_folder_-_Firefox

You might also try the web developer plugin that ostensibly has some cookie management features.

Yeah, I got all of that. See my latest post.

Not to be confused with a session cookie is the php "session id" cookie that links requests to php sessions. That typically has the name PHPSESSID unless you change it. Most everything about the way php sessions work can be tweaked or reconfigured in some way including the name of the session id variable.

Right. And I see my actual Session file as well. But it is the persisting cookie with the PHPSESSID inside of it that I am concerned about.

(I thought it was a cardinal rule that you need to erase the Session ID in the Session Cookie so that someone doesn't try to hi-jack a Session, right? So if my Session ID is in the Session Cookie, and FireFox isn't cleaning out the contents like I am telling it too, then what is to stop someone from pretending to be the original user??)

Debbie

doubledee · December 30, 2011

Look in your php.ini file, you should see something that looks like this:
session.save_path = "c:/wamp/tmp"
Note: your location will obviously be different than mine

In Applications/MAMP/tmp/php I see Session files, but those aren't the Session Cookies...

Debbie

Philip · December 30, 2011

http://chrispederick.com/work/web-developer/ is an invaluable tool for web development. There is an option to clear cookies based on the type (session, domain, or path) and to disable them - in one easy to reach place.

PS - If you logout and you are forwarded to page with session_start() at the top, another PHP Session cookie will appear.

PSS - I'm failing today. Feel free to ignore me.

doubledee · December 30, 2011

http://chrispederick.com/work/web-developer/ is an invaluable tool for web development. There is an option to clear cookies based on the type (session, domain, or path) and to disable them - in one easy to reach place.

Thanks, but as I said, I already am using FireFox's Web Developer Toolbar...

Debbie

Philip · December 30, 2011

See my edit.

kicken · December 30, 2011

If your session cookie is sticking around (with the same id) then a few possibilities are:

1) You've configured PHP to set an expires date/time on the cookie, rather than using 0 to make it a session cookie (generally not wise)

2) You're not closing the browser completely. Session cookies only go away when the browser is fully closed. You have to close all windows, not just the single window or tab your site is in.

3) Your somehow re-starting the session with the same id

Regardless, having the session ID stick around is not anything to really be concerned about. Provided you have cleared out the data in the session (ie, your session_destroy/$_SESSION=array() combo would do that) then that ID is just going to be linking to an empty session file.

Session hijacking has less to do with the session id sticking around after logout, and more to do with people intercepting your session ID while it is in use, such as by using a packet sniffer to watch requests on the network and stealing the ID that way.

doubledee · December 30, 2011

PS - If you logout and you are forwarded to page with session_start() at the top, another PHP Session cookie will appear.

Right. But two things...

1.) You would expect to see a *new* PHPSESSID, right? Well, I don't a new one.

2.) If I comment out my redirect, then that point shouldn't be an issue. However, my original Session Cookie and PHPSESSID are still showing up in FireFox. (Whether they are physically in the cookies.sqlite file I can't say, but according to FireFox's Preferences the Session Cookie is still there even after I log out.)

PSS - I'm failing today. Feel free to ignore me.

Me too, I think?!

Debbie

doubledee · December 30, 2011

If your session cookie is sticking around (with the same id) then a few possibilities are:

1) You've configured PHP to set an expires date/time on the cookie, rather than using 0 to make it a session cookie (generally not wise)

What setting would discate that in my php.ini file??

2) You're not closing the browser completely. Session cookies only go away when the browser is fully closed. You have to close all windows, not just the single window or tab your site is in.

That's not it.

3) Your somehow re-starting the session with the same id

How is that possible??

Regardless, having the session ID stick around is not anything to really be concerned about. Provided you have cleared out the data in the session (ie, your session_destroy/$_SESSION=array() combo would do that) then that ID is just going to be linking to an empty session file.

Hmmm...

Well, I know my Session file goes "poof" when I log out. (It is just that damn Cookie that never disappears. And the fact that I seem to get the same Session ID if I log back in bugs me...)

BTW, is there *anything* else that I can provide you guys to help you help me figure things out?

Debbie

kicken · December 30, 2011

Use something like Fiddler2 to record all the http transactions as you go across the site, look at the cookie headers your scripts are sending (Set-Cookie headers in the response area) to see what is happening.

Open fiddler2

Open your browser and go to your site

Login, and hit a page or two

Logout

and then hit a page or two.

If you want, yo-u can save all the sessions and send them to me and I will see if I spot anything unusual. I have PM'ed you my email address.

gizmola · December 30, 2011

The concept of authentication is one you provide.

When a user hits your site, and the top of your page has a session_start() call, then php sessions are in play. All the cookie provides is a key to that session. When someone hits your site and they have not logged in, they will still have a session id assigned (or at least attempted to be assigned via the issuance of a session cookie).

It does not matter that you logged out and you have a session id that is persisting. What matters is that the information you stored in the session no longer allows for that session id to authenticate the person. You are not in control of what happens with cookies. All you can control is what is happening on the serverside. When you logout, the important thing is that whatever you are storing in the session that indicates that session is authenticated, has been changed so that your site responds accordingly by denying access and requiring fresh authentication.

Even the serverside session data itself (by default the files that TLG referred to) will hang around for a period of time depending on the way php has been configured.

gizmola · December 30, 2011

Also, read the last few posts of this thread, specifically my post and PFMaBiSmAd's at the end. http://www.phpfreaks.com/forums/index.php?topic=223785.15

There is no defined way to tell a browser to delete a cookie. I hope it is clear why this is not important.

doubledee · December 31, 2011

The concept of authentication is one you provide.

When a user hits your site, and the top of your page has a session_start() call, then php sessions are in play. All the cookie provides is a key to that session. When someone hits your site and they have not logged in, they will still have a session id assigned (or at least attempted to be assigned via the issuance of a session cookie).

It does not matter that you logged out and you have a session id that is persisting. What matters is that the information you stored in the session no longer allows for that session id to authenticate the person. You are not in control of what happens with cookies. All you can control is what is happening on the serverside. When you logout, the important thing is that whatever you are storing in the session that indicates that session is authenticated, has been changed so that your site responds accordingly by denying access and requiring fresh authentication.

Even the serverside session data itself (by default the files that TLG referred to) will hang around for a period of time depending on the way php has been configured.

So it sounds like I should "chill out" and not worry? :shrug:

And it also sounds like based on everything I have said, described, and the code I have provided does not lead you believe I am doing anything insecure, correct?

I didn't mean to drag out this thread, but I am just trying to improve my coding skills and build a website that is functional and secure!

Thanks,

Debbie

gizmola · December 31, 2011

Yes, you shouldn't worry about the fact that you can't remove a session cookie. The other steps you are taking to terminate authentication and eliminate the session data that would allow it, are the important thing.

xylex · December 31, 2011

And the fact that I seem to get the same Session ID if I log back in bugs me...

Your login script is vulnerable to session fixation attacks with this behavior if you're allowing session ids to be set in the URL, which is the default. You always want to call session_regenerate_id() after a successful login to prevent this, which will give you a different session id.

doubledee · January 2, 2012

And the fact that I seem to get the same Session ID if I log back in bugs me...

Your login script is vulnerable to session fixation attacks with this behavior if you're allowing session ids to be set in the URL, which is the default. You always want to call session_regenerate_id() after a successful login to prevent this, which will give you a different session id.

Good point.

Will have to look into that.

Debbie

Sign In

Where are Cookies physically stored??

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information