Cookie Expiration Date Issue

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
PatrickE
Forum Newbie
Posts: 10
Joined: Mon Sep 26, 2005 2:52 pm

Cookie Expiration Date Issue

Post by PatrickE »

Hello,

I have a site which has multiple servers used for downloading files. Some of the servers are for paid members only, so to validate that the user is actually a paid member, I store a unique user key in a cookie. When they access one of the servers to download a file, a script extracts the key and checks to see if they have sufficent access to download from that server. I've set the cookie to expire in 30 days from when they log in, however, it no longer seems to work after a few hours.. I can actually still view the cookie in my browser (firefox) but it does not work.. If I just log out (which deletes the cookie) and log back in (which sets the cookie again) then it works fine, so it seems to me as if the problem is with the cookie expiring early. Another odd occurance is that if I view the cookie in firefox, it will always say that the expiration date is the exact date that the cookie is set, even though it's set to expire in 30 days. Here is the cookie I'm using..

setcookie("key", $qry[user_key], time()+2592000, "/", ".domain.com", 0);

Does anyone have an any idea why this would happen or anything I can do to rectify this issue?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

your server(s) may be converting the timestamp you supply wrong. To check, in Firefox with the Web Developer extension running, ask it to show you the response headers on the page resulting in the cookie being set. If the date is off there, your server's time may be off or buggy. You can try to output a formatted date of the timestamp it will use on the page to make sure php at least knows what time it is. If php understands, you may want to write the cookie header yourself instead of letting the server handle it.

although I'd suggest staying away from cookies opting for sessions, or asking the user to login again on the download server themselves to verify identity.
PatrickE
Forum Newbie
Posts: 10
Joined: Mon Sep 26, 2005 2:52 pm

Post by PatrickE »

The servers time is correct, here is what I see in the response header for that page..

Date: Mon, 26 Sep 2005 20:23:03 GMT

The dates on the other servers seem ok as well..
Date: Mon, 26 Sep 2005 20:28:36 GMT
Date: Mon, 26 Sep 2005 20:29:12 GMT

The expire date for the page is set to 1981, but I don't think that'd make a difference, does it?. How would I go about writing the cookie header myself?

I would love to ask users to login again, but they're all lazy bastards, so I know I'd get shot if I did that.. It's not really that huge of a deal if someone else figures out how to access the paid servers; a few extra people downloading would hardly make any difference at all..
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

is that using your code's cookie timestamp or what?
PatrickE
Forum Newbie
Posts: 10
Joined: Mon Sep 26, 2005 2:52 pm

Post by PatrickE »

Sorry, I don't entirely understand what you're asking..

The dates I posted are the dates for the server setting the cookie, and two of the download servers.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

nevermind, I see what you were saying.. but did you check to see what the server sent as far as the cookie's expiration time? (not what you see in your cookie panel, from the response headers)

Does PHP think it is the correct time? (The Date header is not set by PHP, but by the server itself)
PatrickE
Forum Newbie
Posts: 10
Joined: Mon Sep 26, 2005 2:52 pm

Post by PatrickE »

Well viewing Information>View Response Headers does not show any cookie information. However, going to Information>View Cookie Information I see that the cookies expiration date is set for 30 days in the future, as it's supposed to be. However, this leaves the question as to why the cookies are not working to validate the users. The code used to validate the user is really quite simple: it just extracts the key from the cookie, searches in the database for a user which matches the key, and grabs their access level, so I have no idea why there should be an issue..
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

maybe you destroy the cookie somewhere else accidentally?
PatrickE
Forum Newbie
Posts: 10
Joined: Mon Sep 26, 2005 2:52 pm

Post by PatrickE »

I don't know, I'm almost positive that it's not destroyed. I haven't really got any ideas what's causing this; it just seems as if the data is becoming invalid after a time..
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

well, not necessarily destroy it per se, as more accidentally walk over (destroying the server view of) the array somehow? I'm at a loss at this point..
PatrickE
Forum Newbie
Posts: 10
Joined: Mon Sep 26, 2005 2:52 pm

Post by PatrickE »

How would that happen?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

how are you pulling up the cookie data?
PatrickE
Forum Newbie
Posts: 10
Joined: Mon Sep 26, 2005 2:52 pm

Post by PatrickE »

<span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>, I think you're right.. I have a piece of code, included on each page, which will create a new session for visitors if their session has expired but they still have a cookie. This script also resets the cookie, but I had accidentally screwed up the setcookie so the contents of the cookie were invalid. Thus when the session expired and they visited a new page, the cookie would be reset with incorrect information and they could no longer be validated. Sorry about this and thanks for your help!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'm glad I was able to nudge you into the actual bug. :)
Post Reply