Page 1 of 1

Cookie is killing me

Posted: Thu Jun 26, 2008 1:58 pm
by dyluck
Hi. I hope someone can help me... this is really obscure.
I wrote a login script which works perfectly fine in firefox and did work in explorer.. all of a sudden, out of the blue, it doesn't work in explorer...

here is the code, do you guys see anything wrong with this?

Code: Select all

 
$randomnumber = md5($rannum);
$time = 30 + time();
$domain = '.mydomain.com';   
setcookie("MydomainVar", $randomnumber, $time, "/", $domain);
I have tried (incase the time syntax was wrong for some reason):

Code: Select all

 
$randomnumber = md5($rannum);
$time = time()+30;
$domain = '.mydomain.com';   
setcookie("MydomainVar", $randomnumber, $time, "/", $domain);[/
Still doesn't work...

Now if I set the cookie to the following, it works.

Code: Select all

 
$randomnumber = md5($rannum);
$domain = '.mydomain.com';   
setcookie("MydomainVar", $randomnumber, 0, "/", $domain);
This is only for a login script so want the cookie to expire within 30 seconds.

What am I doing wrong? The key is that it works in firefox and it did work in explorer.

Thanks for your help!!

Re: Cookie is killing me

Posted: Thu Jun 26, 2008 5:47 pm
by dyluck
oh ya... here is a real kicker... this one works on my index page just fine..

$Month = 2592000 + time();
$rid = $_GET[rid];
setcookie(CookieRef, $rid, $Month);

I want to stab myself in the eyeball! :banghead:

Re: Cookie is killing me

Posted: Thu Jun 26, 2008 9:45 pm
by Zoxive
Is there a reason you can't use Sessions?

I think its just a lot easier, and you can store a lot more information quickly. And its not stored on the clients computer, its stored on the servers file system. (By default)

Code: Select all

 
session_start(); // top of every page accessing session data.
 
$_SESSION['myvar'] = 'HI';
 
// Diff page
session_start(); // top of page
 
echo $_SESSION['myvar']; // echos Hi
 

Re: Cookie is killing me

Posted: Fri Jun 27, 2008 7:54 am
by dyluck
Yeah I actually have sessions also. This is a login script so there are a few safeguards.
I have a session storing the username and a super hashed password. The cookie stores a hashed random variable which is saved to a database. The session variable is also saved to the database.

Am I able to create a session that only lasts 15-30 seconds? Why is it that a cookie with a longer expiry works and one with a short expiry doesn't?

Re: Cookie is killing me

Posted: Fri Jun 27, 2008 11:07 am
by Zoxive
Oh i didnt realize it was for such a short cookie. Im pretty sure the smallest firefox will set is 60 seconds. IE 7 i believe is 120 seconds. Why such a short length?

Re: Cookie is killing me

Posted: Fri Jun 27, 2008 11:48 am
by dyluck
It's probably a redundant step but I just want a cookie active long enough to login.
I do have a few other precautions but I basicly am trying to doop cookie hijackers. The login and the actual protected pages require different authentication methods and a different cookie which will hopefully confuse hackers or at least <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> them off. I have a completely different hash and different authentication method while browsing protected pages. Basicly it ensures that someone HAS to go through the login sequence before they can access internal paged. I am just doing mysql anti injection measures right now too...
it's sad that we have to do so much security measures... Imagine an internet without having to lock the door? LOL

Ok I am going to try 120 seconds to see what happens. I think 120 seconds is good and then I will kill the cookie once they are logged in. That way if the cookie doesn't get killed then it will commit suicide after 120 seconds :P

Re: Cookie is killing me

Posted: Fri Jun 27, 2008 12:18 pm
by dyluck
Well ok, so it was the compatibility of Explorer and minimum cookie expiry time.
Firefox can handle 30 second cookies no problem
Explorer was 4 minutes.... I tried 120 seconds then 180 it wasn't until I tried 240s econds that it worked!

Thanks for your help!!!!!
My issue is resolved. :drunk:

Re: Cookie is killing me

Posted: Fri Jun 27, 2008 12:40 pm
by John Cartwright
security through obscurity is not security at all