Handling sessions through cookies, is it safe?

**Rik** · Jul 17 '06, 12:15 AM

Re: Handling sessions through cookies, is it safe?

romayankin@gmai l.com wrote:

I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written
the following code to accomplish this task
>
/* Extending session */
if(isset($_COOK IE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}

Pardon, you let them post their username on every navigation?

Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?

Why not set the time of the last action in the $SESSION?

$timeout = 60 * 60; //60 minutes here, as long or short as you'd like
session_start() ;
if(!isset($_SES SION['time']) || $_SESSION['time'] + $timeout < time()){
//invalid, we'll destroy all data:
$_SESSION = array();
if (isset($_COOKIE[session_name()])) setcookie(sessi on_name(), '',
time()-42000, '/');
if (isset($_COOKIE['username'])) setcookie('user name', '', time()-42000,
'/');
session_destroy ();
} else {
//valid, update times:
$_SESSION['time'] = time();
setcookie('user name', $username, $_SESSION['time'] + $timeout, '/');
//You'll have to get that $username from somewhere in your actual
validation.
}

Grtz,
--
Rik Wasmus

**s a n j a y** · Jul 17 '06, 12:55 AM

Re: Handling sessions through cookies, is it safe?

romayankin@gmai l.com wrote:

I need to limit the session time for a particular user who is working
on my site. I'd also like to extend the session time each time user
performs some action (moves from one page to another). I've written the
following code to accomplish this task
>
/* Extending session */
if(isset($_COOK IE['username'])) {
setcookie ("username", $_POST['username'], time()+3600);
}
>
Variable $_COOKIE['username'] right after the authorization is
completed.
The problem is that I don't think this is a safe way to handle
sessions. Perhaps I should use $_SESSION global array to store the
username of the logged user?
>

In my opinion, all you should store in a cookie is session-id.
Everything else, you store on server in either global session veriable
or in a database.

**totalstranger** · Jul 17 '06, 12:45 PM

Re: Handling sessions through cookies, is it safe?

On or about 7/16/2006 8:55 PM, it came to pass that s a n j a y wrote:

romayankin@gmai l.com wrote:

>I need to limit the session time for a particular user who is working
>on my site. I'd also like to extend the session time each time user
>performs some action (moves from one page to another). I've written the
>following code to accomplish this task
>>
>/* Extending session */
>if(isset($_COO KIE['username'])) {
> setcookie ("username", $_POST['username'], time()+3600);
>}
>>
>Variable $_COOKIE['username'] right after the authorization is
>completed.
>The problem is that I don't think this is a safe way to handle
>sessions. Perhaps I should use $_SESSION global array to store the
>username of the logged user?
>>

>
In my opinion, all you should store in a cookie is session-id.
Everything else, you store on server in either global session veriable
or in a database.

Agreed.
Set a session variable with php time() and do your own timeout.

if (isset($_SESSIO N['$Server_time']) && (time() -
$_SESSION['$Server_time']) 600)
$_SESSION = array(); //break this session and restart when over 10 minutes
$_SESSION['$Server_time'] = time(); //time in seconds

**ws Monkey** · Aug 13 '06, 07:25 PM

Re: Handling sessions through cookies, is it safe?

totalstranger wrote:

On or about 7/16/2006 8:55 PM, it came to pass that s a n j a y wrote:

>romayankin@gmai l.com wrote:

>>I need to limit the session time for a particular user who is working
>>on my site. I'd also like to extend the session time each time user
>>performs some action (moves from one page to another). I've written the
>>following code to accomplish this task
>>>
>>/* Extending session */
>>if(isset($_CO OKIE['username'])) {
>> setcookie ("username", $_POST['username'], time()+3600);
>>}
>>>
>>Variable $_COOKIE['username'] right after the authorization is
>>completed.
>>The problem is that I don't think this is a safe way to handle
>>sessions. Perhaps I should use $_SESSION global array to store the
>>username of the logged user?
>>>

>>
>In my opinion, all you should store in a cookie is session-id.
>Everything else, you store on server in either global session veriable
>or in a database.

Agreed.
Set a session variable with php time() and do your own timeout.
>
if (isset($_SESSIO N['$Server_time']) && (time() -
$_SESSION['$Server_time']) 600)
$_SESSION = array(); //break this session and restart when over 10
minutes
$_SESSION['$Server_time'] = time(); //time in seconds

May want to consider adding a few sanity checks for this. Never trust
input from the user.
In your cookie, store two values. The username, and then a md5 of the
username plus a salt. When you read the cookie, compare the md5.

i.e.
$plaintext_cook ie_value = $_COOKIE['username'];
$hashed_usernam e_value = md5($_COOKIE['username'] . "some random salt");
if($_COOKIE['usernamehashed '] == $hashed_usernam e_value){
// plaintext is valid
} else {
// Someone changed the username
}

Just make sure to use the same "some random salt" when you set the cookie.

-- Steve

Handling sessions through cookies, is it safe?

Handling sessions through cookies, is it safe?

Comment

Comment

Comment

Comment