Jump to content

Archived

This topic is now archived and is closed to further replies.

Adthegreat

Cookie Killing

Recommended Posts

For security reason i set a cookie every time someone logs in like this
[code]
    setcookie(activsessid,$activsessid, time()+360000);
[/code]

Then on my logout button i have tried lots of differnet things but at the moment my code is
[code]
setcookie(activsessid);
[/code]
but for some reason the cookie remains, i have tried setting a time()-100 and other stuff, but it wont work.

And N.B, i know the cookie is still there because it appeares when i do
javascript:alert(document.cookie).

Can anyone help?

Thanks in Advance!

Share this post


Link to post
Share on other sites
[!--quoteo(post=372407:date=May 8 2006, 03:59 PM:name=Adthegreat)--][div class=\'quotetop\']QUOTE(Adthegreat @ May 8 2006, 03:59 PM) [snapback]372407[/snapback][/div][div class=\'quotemain\'][!--quotec--]
For security reason i set a cookie every time someone logs in like this
[code]
    setcookie(activsessid,$activsessid, time()+360000);
[/code]

Then on my logout button i have tried lots of differnet things but at the moment my code is
[code]
setcookie(activsessid);
[/code]
but for some reason the cookie remains, i have tried setting a time()-100 and other stuff, but it wont work.

And N.B, i know the cookie is still there because it appeares when i do
javascript:alert(document.cookie).

Can anyone help?

Thanks in Advance!
[/quote]

[code]
setcookie(activsessid,$activsessid, time()-360000);
[/code]

Share this post


Link to post
Share on other sites
[!--quoteo(post=372409:date=May 8 2006, 10:09 PM:name=Prismatic)--][div class=\'quotetop\']QUOTE(Prismatic @ May 8 2006, 10:09 PM) [snapback]372409[/snapback][/div][div class=\'quotemain\'][!--quotec--]
[code]
setcookie(activsessid,$activsessid, time()-360000);
[/code]
[/quote]
Didn't work!

Probably because $activsessid is not defined on the page, but would register globals take it from $_COOKIE[activsessid] where it is defined?

Share this post


Link to post
Share on other sites
You wont be able to delete a cookie of off a users cvomputer. However you can set the cookie with blank values apart from the name and set the expire time sometime back in the past.

That should stop the browser from using the cookie again.

Share this post


Link to post
Share on other sites
[!--quoteo(post=372416:date=May 8 2006, 10:24 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ May 8 2006, 10:24 PM) [snapback]372416[/snapback][/div][div class=\'quotemain\'][!--quotec--]
You wont be able to delete a cookie of off a users cvomputer. However you can set the cookie with blank values apart from the name and set the expire time sometime back in the past.

That should stop the browser from using the cookie again.
[/quote]
I appreciate the insight.

edit: Problem still there! It works on my Internet Explorer but not on my friends computer and my firefox!

Code is now
[code]
setcookie('activsessid', '', time()-360000);
[/code]

Share this post


Link to post
Share on other sites
[!--quoteo(post=372438:date=May 8 2006, 11:16 PM:name=High_-_Tek)--][div class=\'quotetop\']QUOTE(High_-_Tek @ May 8 2006, 11:16 PM) [snapback]372438[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Short and simple

[code]
<?php

unset($_COOKIE['activsessid']);

?>
[/code]
[/quote]
This doesn't work, i have tried with quotes, without, and it is right after my opening <?php on logout.php.

This is so frustrating, it just doesnt make sense...

Share this post


Link to post
Share on other sites
PHP and JavaScript cookie values are initially availabe at different times.

Examine this sample code and it's output underneath it:
[code]
<?PHP
// Start buffering to allow JS before PHP setcookie
ob_start();
?>

<script lang="javascript">
document.write("JS - before PHP setcookie: " + document.cookie + "<br/>");
</script>

<?PHP

if (isSet($_COOKIE['activsessid'])) {
    $value = $_COOKIE['activsessid'];
} else {
    setcookie('activsessid', '123');
    // Not set the first time and this demonstrates that
    $value = isSet($_COOKIE['activsessid']) ? $_COOKIE['activsessid'] : 'Not Set';
}

echo "_COOKIE['activsessid'] value = $value <br/>";

?>

<script lang="javascript">
document.write("JS - after PHP setcookie: " + document.cookie + "<br/>");
</script>
[/code]
[quote]
JS - before PHP setcookie: activsessid=123
_COOKIE['activsessid'] value = Not Set
JS - after PHP setcookie: activsessid=123
[/quote]
[quote]
JS - before PHP setcookie: activsessid=123
_COOKIE['activsessid'] value = 123
JS - after PHP setcookie: activsessid=123
[/quote]
As you can see from the output example above, the $_COOKIE values aren't available to use in PHP on the first run or setting of the cookie. However, you'll notice that JavaScript has the cookie value available on the first run. Even before the PHP setcookie is even invoked (as it seems). But the truth of the matter is that PHP setcookie() sends out HTTP headers which by the time the page is loaded JavaScript already has available.

Examine this sample code that deletes the cookie and it's output underneath it:
[code]
<?PHP
// Start buffering to allow JS before PHP setcookie
ob_start();
?>

<script lang="javascript">
document.write("JS - before PHP setcookie to delete: " + document.cookie + "<br/>");
</script>


<?PHP

$value = isSet($_COOKIE['activsessid']) ? $_COOKIE['activsessid'] : 'Not Set';
echo "_COOKIE['activsessid'] value before delete = $value <br/>";

setcookie('activsessid', '', time() - 86400);

$value = isSet($_COOKIE['activsessid']) ? $_COOKIE['activsessid'] : 'Not Set';
echo "_COOKIE['activsessid'] value after delete = $value <br/>";

?>

<script lang="javascript">
document.write("JS - after PHP setcookie to delete: " + document.cookie + "<br/>");
</script>
[/code]
[quote]
JS - before PHP setcookie to delete:
_COOKIE['activsessid'] value before delete = 123
_COOKIE['activsessid'] value after delete = 123
JS - after PHP setcookie to delete:
[/quote]
[quote]
JS - before PHP setcookie to delete:
_COOKIE['activsessid'] value before delete = Not Set
_COOKIE['activsessid'] value after delete = Not Set
JS - after PHP setcookie to delete:
[/quote]
Again, JavaScript knows the cookie is deleted before PHP does.

If you want PHP to recognize the cookie is delete in the first delete cookie run, then as already pointed out, you can use unset(). So, changing the delete cookie code to include the unset():
[code]
...
setcookie('activsessid', '', time() - 86400);
unset($_COOKIE['activsessid']);
...
[/code]
will produce the following output:
[quote]
JS - before PHP setcookie to delete:
_COOKIE['activsessid'] value before delete = 123
_COOKIE['activsessid'] value after delete = Not Set
JS - after PHP setcookie to delete:
[/quote]
and that allows PHP to know the cookie got deleted right away.

If you specified an expiration when first creating the cookie, then it's generally a good idea to make the cookie expiration time at least a day in the past (- 86400), in case your server and the user's computer have different clocks.


FYI: The examples given behave the same way in IE and Firefox (it makes no difference).

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.