Cookie Expiration Date Issue
Moderator: General Moderators
Cookie Expiration Date Issue
Hello,
I have a site which has multiple servers used for downloading files. Some of the servers are for paid members only, so to validate that the user is actually a paid member, I store a unique user key in a cookie. When they access one of the servers to download a file, a script extracts the key and checks to see if they have sufficent access to download from that server. I've set the cookie to expire in 30 days from when they log in, however, it no longer seems to work after a few hours.. I can actually still view the cookie in my browser (firefox) but it does not work.. If I just log out (which deletes the cookie) and log back in (which sets the cookie again) then it works fine, so it seems to me as if the problem is with the cookie expiring early. Another odd occurance is that if I view the cookie in firefox, it will always say that the expiration date is the exact date that the cookie is set, even though it's set to expire in 30 days. Here is the cookie I'm using..
setcookie("key", $qry[user_key], time()+2592000, "/", ".domain.com", 0);
Does anyone have an any idea why this would happen or anything I can do to rectify this issue?
I have a site which has multiple servers used for downloading files. Some of the servers are for paid members only, so to validate that the user is actually a paid member, I store a unique user key in a cookie. When they access one of the servers to download a file, a script extracts the key and checks to see if they have sufficent access to download from that server. I've set the cookie to expire in 30 days from when they log in, however, it no longer seems to work after a few hours.. I can actually still view the cookie in my browser (firefox) but it does not work.. If I just log out (which deletes the cookie) and log back in (which sets the cookie again) then it works fine, so it seems to me as if the problem is with the cookie expiring early. Another odd occurance is that if I view the cookie in firefox, it will always say that the expiration date is the exact date that the cookie is set, even though it's set to expire in 30 days. Here is the cookie I'm using..
setcookie("key", $qry[user_key], time()+2592000, "/", ".domain.com", 0);
Does anyone have an any idea why this would happen or anything I can do to rectify this issue?
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
your server(s) may be converting the timestamp you supply wrong. To check, in Firefox with the Web Developer extension running, ask it to show you the response headers on the page resulting in the cookie being set. If the date is off there, your server's time may be off or buggy. You can try to output a formatted date of the timestamp it will use on the page to make sure php at least knows what time it is. If php understands, you may want to write the cookie header yourself instead of letting the server handle it.
although I'd suggest staying away from cookies opting for sessions, or asking the user to login again on the download server themselves to verify identity.
although I'd suggest staying away from cookies opting for sessions, or asking the user to login again on the download server themselves to verify identity.
The servers time is correct, here is what I see in the response header for that page..
Date: Mon, 26 Sep 2005 20:23:03 GMT
The dates on the other servers seem ok as well..
Date: Mon, 26 Sep 2005 20:28:36 GMT
Date: Mon, 26 Sep 2005 20:29:12 GMT
The expire date for the page is set to 1981, but I don't think that'd make a difference, does it?. How would I go about writing the cookie header myself?
I would love to ask users to login again, but they're all lazy bastards, so I know I'd get shot if I did that.. It's not really that huge of a deal if someone else figures out how to access the paid servers; a few extra people downloading would hardly make any difference at all..
Date: Mon, 26 Sep 2005 20:23:03 GMT
The dates on the other servers seem ok as well..
Date: Mon, 26 Sep 2005 20:28:36 GMT
Date: Mon, 26 Sep 2005 20:29:12 GMT
The expire date for the page is set to 1981, but I don't think that'd make a difference, does it?. How would I go about writing the cookie header myself?
I would love to ask users to login again, but they're all lazy bastards, so I know I'd get shot if I did that.. It's not really that huge of a deal if someone else figures out how to access the paid servers; a few extra people downloading would hardly make any difference at all..
Well viewing Information>View Response Headers does not show any cookie information. However, going to Information>View Cookie Information I see that the cookies expiration date is set for 30 days in the future, as it's supposed to be. However, this leaves the question as to why the cookies are not working to validate the users. The code used to validate the user is really quite simple: it just extracts the key from the cookie, searches in the database for a user which matches the key, and grabs their access level, so I have no idea why there should be an issue..
<span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span>, I think you're right.. I have a piece of code, included on each page, which will create a new session for visitors if their session has expired but they still have a cookie. This script also resets the cookie, but I had accidentally screwed up the setcookie so the contents of the cookie were invalid. Thus when the session expired and they visited a new page, the cookie would be reset with incorrect information and they could no longer be validated. Sorry about this and thanks for your help!