PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Sep 23, 2019 3:24 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Mon Sep 01, 2014 3:09 pm 
Offline
Forum Contributor

Joined: Fri Jul 18, 2014 1:54 pm
Posts: 179
Hi,

I have just completed the registration, login, profile portion of my website (local host only using XAMPP).
I am just reviewing the session security procedures.
In this web link https://wblinks.com/notes/secure-sessio ... ment-tips/ it suggested I remove the session ID cookie when I log the person off due to lack of user activity

The code for the user notice time out page is below. (the cookie delete is from the page above but I placed a comment in the code)

Syntax: [ Download ] [ Hide ]
<?php
session_start();
session_unset();
setcookie("sid","",1);  //I can't see why this would work since the cookie is on the client machine - should it not be javascript doing the delete of the cookie???)
session_destroy();
?>
 


I have tried a lot of things to find this file (obviously before the above page gets executed) but luck is not with me I guess. Where is it? (again I am using XAMPP).
By the way, I found the general google chrome cookie directory and it does not seem to be there based upon a date/time sort.

Thanks,
John


Top
 Profile  
 
PostPosted: Mon Sep 01, 2014 3:49 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
You're right that cookies are stored client side. PHP sets cookies along with the rest of the HTTP headers.

_________________


Top
 Profile  
 
PostPosted: Mon Sep 01, 2014 4:02 pm 
Offline
Forum Contributor

Joined: Fri Jul 18, 2014 1:54 pm
Posts: 179
Thanks Celauran, You got me thinking, I did a google search and found what you are talking about
http://php.net/manual/en/function.setcookie.php

So I guess my former impression that only HTML code gets to the client machine and that PHP only uses ONLY echo statements to build html code on the server side is not correct. In other words there is header info before the HTML and PHP can directly effect that. Okay, so that answers my comment question in the code I guess.


I found where one can look at the cookie at least.
https://code.google.com/p/procurement/w ... hSessionID
In Google Crome (after opening up a localhost page where the session is started and on that browser page)
**Press F12
**click the resources item at the top.
**expand cookies and select the http://www.whatever.com item on the list
**find the item on the right that says PHPSESHID
**double click on the value, right click copy, Your session ID is now in the clipboard.

I did what is said above. I found the session ID cookie in the display but the cookie delete statement does not seem to remove it. Its a mystery so far. I did notice that as I move through the web pages I have created the value inside the PHPSESSIONID does change (and I remember reading that it is probably encrypted which it appears to be) so maybe the command just changes the value and when the window is closed it removes the cookie (located in some mysterous location for security purposes). If that is what happens I have no problem with it just as long as I know it is automatic (unless each browser is different of course).

I have commented out the cookie timed delete statement until such time as I can prove it works.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group