Jump to content


Photo

Cookie Killing


  • Please log in to reply
7 replies to this topic

#1 Adthegreat

Adthegreat
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 08 May 2006 - 08:59 PM

For security reason i set a cookie every time someone logs in like this
    setcookie(activsessid,$activsessid, time()+360000);

Then on my logout button i have tried lots of differnet things but at the moment my code is
setcookie(activsessid);
but for some reason the cookie remains, i have tried setting a time()-100 and other stuff, but it wont work.

And N.B, i know the cookie is still there because it appeares when i do
javascript:alert(document.cookie).

Can anyone help?

Thanks in Advance!

#2 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 08 May 2006 - 09:09 PM

[!--quoteo(post=372407:date=May 8 2006, 03:59 PM:name=Adthegreat)--][div class=\'quotetop\']QUOTE(Adthegreat @ May 8 2006, 03:59 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
For security reason i set a cookie every time someone logs in like this
    setcookie(activsessid,$activsessid, time()+360000);

Then on my logout button i have tried lots of differnet things but at the moment my code is
setcookie(activsessid);
but for some reason the cookie remains, i have tried setting a time()-100 and other stuff, but it wont work.

And N.B, i know the cookie is still there because it appeares when i do
javascript:alert(document.cookie).

Can anyone help?

Thanks in Advance!
[/quote]

setcookie(activsessid,$activsessid, time()-360000);


#3 Adthegreat

Adthegreat
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 08 May 2006 - 09:14 PM

[!--quoteo(post=372409:date=May 8 2006, 10:09 PM:name=Prismatic)--][div class=\'quotetop\']QUOTE(Prismatic @ May 8 2006, 10:09 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
setcookie(activsessid,$activsessid, time()-360000);
[/quote]
Didn't work!

Probably because $activsessid is not defined on the page, but would register globals take it from $_COOKIE[activsessid] where it is defined?

#4 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 08 May 2006 - 09:24 PM

You wont be able to delete a cookie of off a users cvomputer. However you can set the cookie with blank values apart from the name and set the expire time sometime back in the past.

That should stop the browser from using the cookie again.

#5 Adthegreat

Adthegreat
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 08 May 2006 - 09:39 PM

[!--quoteo(post=372416:date=May 8 2006, 10:24 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ May 8 2006, 10:24 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
You wont be able to delete a cookie of off a users cvomputer. However you can set the cookie with blank values apart from the name and set the expire time sometime back in the past.

That should stop the browser from using the cookie again.
[/quote]
I appreciate the insight.

edit: Problem still there! It works on my Internet Explorer but not on my friends computer and my firefox!

Code is now
setcookie('activsessid', '', time()-360000);


#6 High_-_Tek

High_-_Tek
  • Members
  • PipPipPip
  • Advanced Member
  • 72 posts

Posted 08 May 2006 - 10:16 PM

Short and simple

<?php

unset($_COOKIE['activsessid']);

?>


#7 Adthegreat

Adthegreat
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 08 May 2006 - 10:24 PM

[!--quoteo(post=372438:date=May 8 2006, 11:16 PM:name=High_-_Tek)--][div class=\'quotetop\']QUOTE(High_-_Tek @ May 8 2006, 11:16 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Short and simple

<?php

unset($_COOKIE['activsessid']);

?>
[/quote]
This doesn't work, i have tried with quotes, without, and it is right after my opening <?php on logout.php.

This is so frustrating, it just doesnt make sense...

#8 toplay

toplay
  • Staff Alumni
  • Advanced Member
  • 973 posts

Posted 09 May 2006 - 02:17 AM

PHP and JavaScript cookie values are initially availabe at different times.

Examine this sample code and it's output underneath it:
<?PHP
// Start buffering to allow JS before PHP setcookie
ob_start();
?>

<script lang="javascript">
document.write("JS - before PHP setcookie: " + document.cookie + "<br/>");
</script>

<?PHP

if (isSet($_COOKIE['activsessid'])) {
    $value = $_COOKIE['activsessid'];
} else {
    setcookie('activsessid', '123');
    // Not set the first time and this demonstrates that
    $value = isSet($_COOKIE['activsessid']) ? $_COOKIE['activsessid'] : 'Not Set';
}

echo "_COOKIE['activsessid'] value = $value <br/>";

?>

<script lang="javascript">
document.write("JS - after PHP setcookie: " + document.cookie + "<br/>");
</script>

JS - before PHP setcookie: activsessid=123
_COOKIE['activsessid'] value = Not Set
JS - after PHP setcookie: activsessid=123

JS - before PHP setcookie: activsessid=123
_COOKIE['activsessid'] value = 123
JS - after PHP setcookie: activsessid=123

As you can see from the output example above, the $_COOKIE values aren't available to use in PHP on the first run or setting of the cookie. However, you'll notice that JavaScript has the cookie value available on the first run. Even before the PHP setcookie is even invoked (as it seems). But the truth of the matter is that PHP setcookie() sends out HTTP headers which by the time the page is loaded JavaScript already has available.

Examine this sample code that deletes the cookie and it's output underneath it:
<?PHP
// Start buffering to allow JS before PHP setcookie
ob_start();
?>

<script lang="javascript">
document.write("JS - before PHP setcookie to delete: " + document.cookie + "<br/>");
</script>


<?PHP

$value = isSet($_COOKIE['activsessid']) ? $_COOKIE['activsessid'] : 'Not Set';
echo "_COOKIE['activsessid'] value before delete = $value <br/>";

setcookie('activsessid', '', time() - 86400);

$value = isSet($_COOKIE['activsessid']) ? $_COOKIE['activsessid'] : 'Not Set';
echo "_COOKIE['activsessid'] value after delete = $value <br/>";

?>

<script lang="javascript">
document.write("JS - after PHP setcookie to delete: " + document.cookie + "<br/>");
</script>

JS - before PHP setcookie to delete:
_COOKIE['activsessid'] value before delete = 123
_COOKIE['activsessid'] value after delete = 123
JS - after PHP setcookie to delete:

JS - before PHP setcookie to delete:
_COOKIE['activsessid'] value before delete = Not Set
_COOKIE['activsessid'] value after delete = Not Set
JS - after PHP setcookie to delete:

Again, JavaScript knows the cookie is deleted before PHP does.

If you want PHP to recognize the cookie is delete in the first delete cookie run, then as already pointed out, you can use unset(). So, changing the delete cookie code to include the unset():
...
setcookie('activsessid', '', time() - 86400);
unset($_COOKIE['activsessid']);
...
will produce the following output:

JS - before PHP setcookie to delete:
_COOKIE['activsessid'] value before delete = 123
_COOKIE['activsessid'] value after delete = Not Set
JS - after PHP setcookie to delete:

and that allows PHP to know the cookie got deleted right away.

If you specified an expiration when first creating the cookie, then it's generally a good idea to make the cookie expiration time at least a day in the past (- 86400), in case your server and the user's computer have different clocks.


FYI: The examples given behave the same way in IE and Firefox (it makes no difference).





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users