Cookies sharing across local network?!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Cookies sharing across local network?!

Post by mattpointblank »

Hi everyone,

I run our company website. I just noticed a weird thing happening: when a staff member in the same office as me logs in, they see "Hi, Matt!" on their page instead of their name. I can't test whether this is happening outside the office (I assume not), but is it possible for us all to be somehow sharing cookies since we're all on the same network with the same IP?

Before anyone suggests it, I've triple checked that my details/user ID aren't hardcoded in to the script. Basically, the way it works is like so:

- The user logs in. If their details are correct, we generate a hash containing their userID + a random unique string. This is stored in the database, and then set as their cookie.

- When the user edits their preferences (this is the problem page), we lookup their details from the database by retrieving the value of their cookie and looking their info up from the database based on this. This is where it goes wrong - I've checked, and their cookie has a different value to mine, but when the lookup happens, it's getting the wrong values back. I've printed the query that is happening to get their info, and when run against the database directly, it returns the right details (eg, theirs, not mine), but by the time it hits the page, it's displaying my info.

This is the function that returns the userID (which is returning mine, and not theirs) - can anyone see anything obviously wrong?

Code: Select all

 
function getUserID($cookiename)
{
    if(isset($_COOKIE["$cookiename"])) {
        $cookiehash = htmlentities($_COOKIE["$cookiename"]);
        $query = "SELECT userID FROM users WHERE CookieHash = '$cookiehash'";
        $result = mysql_query($query) or die(mysql_error());
        $row = mysql_fetch_array($result);
        $userid = $row['userID'];
        return $userid;
    } else {
        return false;
    }
}
 
When I add a line to that function to echo the query, it looks like it should - it's using their unique cookie value. I deliberately tried changing the name of the variable I'm assigning the function's output to so I know it's unique and not being overwritten from anywhere else, so I'm at a loose end - can anyone help?

Thanks
Matt
Mark Baker
Forum Regular
Posts: 710
Joined: Thu Oct 30, 2008 6:24 pm

Re: Cookies sharing across local network?!

Post by Mark Baker »

What is the code you've posted going to do if the database query executes successfully, but returns no rows?
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: Cookies sharing across local network?!

Post by mattpointblank »

Hmm.. good point. I guess the idea is that the user isn't able to set the cookie it tests for if they don't supply correct information to start with. The query should always return something since they won't have a cookie if it can't, if that makes sense? But I realise this could be a weakpoint - I'll try adding a case for no results and see what that does. Thanks.
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: Cookies sharing across local network?!

Post by mattpointblank »

Hmm. I modified the function so it returns false if there's no rows returned, but the problem remains. Any ideas?
Mark Baker
Forum Regular
Posts: 710
Joined: Thu Oct 30, 2008 6:24 pm

Re: Cookies sharing across local network?!

Post by Mark Baker »

What is the block of code around/immediately after where the function is called... i.e. what does it actually do when it gets a False back?
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: Cookies sharing across local network?!

Post by mattpointblank »

Here it is in context:

Code: Select all

 
$useridSettings = getUserID("LGloginNew");
$query = "SELECT * FROM tblIndividuals WHERE IndividualID = '$useridSettings'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
 
Then I echo out all of the variables from the query. When I print the output of the function, it's correct. The UserID seems to be getting overwritten somewhere, but I don't know where - I did a sitewide search and the $useridSettings name isn't used anywhere else at all.

There's some fairly lengthy code before/after it that includes things like the functions file for the entire site, stuff like that.

I did some more experimentation and getting it to work only happens when we're logged in literally at the same time, which almost suggests it's a session error to me, even though we're only using cookies. For example, if I have the page open on my screen, and a colleague logs in next to me on his machine, one of the two of us will see the other's details on our screens (in this situation, he usually sees mine).
Mark Baker
Forum Regular
Posts: 710
Joined: Thu Oct 30, 2008 6:24 pm

Re: Cookies sharing across local network?!

Post by Mark Baker »

Code: Select all

 
$useridSettings = getUserID("LGloginNew");
$query = "SELECT * FROM tblIndividuals WHERE IndividualID = '$useridSettings'";
 
A return of False from the getUserID() call is then inserted into the SQL query giving:

Code: Select all

 
SELECT * FROM tblIndividuals WHERE IndividualID = '0'
 
Is there a record with IndividualID = '0' in your tblIndividuals table?
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: Cookies sharing across local network?!

Post by mattpointblank »

Hmm, no, there isn't, obviously. So if I follow you, these queries are returning empty resultsets. What I don't understand is why it's using my IndividualID when somebody else logs in - is it some sort of leftover variable hanging around?

Also, in these test cases, there isn't a false return from the function (even though yes, it is possible for it to happen) - it displays their correct username on the initial welcome page, but upon loading this page (user preferences) we see my details instead. Somewhere along the line it's being overwritten somehow - the queries themselves are returning valid results.
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: Cookies sharing across local network?!

Post by mattpointblank »

Still no closer with this - can anyone else see anything blindingly obvious here?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Cookies sharing across local network?!

Post by pickle »

So your getUserID() function is always returning the correct user id? The problem is that on that particular preferences page, the user id gets overwritten somewhere? Looks to me like you need to put a bunch of echo statements in your script to see exactly where it gets overwritten.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: Cookies sharing across local network?!

Post by mattpointblank »

That's what I thought so I've tried renaming the variable with a unique name (I've searched to check) so it's the only time it's being used - the only time it changes is when someone in my office is logging in at the exact same time as me. This is so odd.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Cookies sharing across local network?!

Post by pickle »

If you:

Code: Select all

echo '<pre>';
print_r($_COOKIE);
echo '</pre>';
Is it what you'd expect it to be or is there wrong data in there?

Are you and the other person coming from the same IP? I'm wondering if there's a chance cookies themselves are being overwritten.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: Cookies sharing across local network?!

Post by mattpointblank »

I've checked, both of us have unique cookies and the hashes stored in there map up correctly to our details in the database (they're unique). The IP thing might be somewhere along the right lines, because I can't think of anything else I haven't already ruled out.

EDIT: Just checked now and we have different addresses.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Cookies sharing across local network?!

Post by pickle »

I'd go back to my "tons of echo statements" strategy.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply