tags:

views:

231

answers:

5
+2  Q: 

maintaining state without a cookie

I am trying to figure the workings of an IPB forum.

If I tick remember me, then I will remain logged in even if I close the browser and reopen it.

I am trying to workout how this is possible, as the only cookies that are set by the server expire at the end of the session, i.e. when I close my browser. So how does the server no how to resume the session, without using cookies?

edit: The session id cookie is set to expire at the end of the session, and I have my browser set to delete cookies at the end of the session.

This means when I close my browser(the session ends), the cookie should be deleted.

During the time my browser is closed, if I open up the same site in a different browser, surely the session should be resumed? This does not happen however.

Instead, if I open up my original browser, the session resumes.

The only other cookie set is a cookie called pass_hash, which expires as soon as it is created, and is sent by the server everytime a page is loaded. SO it would not be being used for authentication.

A: 

It sounds to me like you just missed a cookie (or misread/misunderstood when it expires), but the alternate possibility might be that it's keeping the remote address stored in the DB and automatically creating a new session for it for the second visit. However, this would be a rather poor solution both security-wise and due to NATs, et cetera - so I doubt that's what IPB does.

Amber  2009-08-03 01:52:48
I have not missed any cookies...I have been monitoring them as they are created and checking their expiration dates to try and understand.
Joshxtothe4  2009-08-03 02:16:37
A: 

Normally cookies last after you close the browser. If you are using PHP, check out set_cookie's options, or if you are using sessions, check out the session area.

// Set Cookie
setcookie($name, $value, $expire) 
// $expire is the time in seconds since Unix Epoch (see [time()][3]) it will stay alive
// Session
session_set_cookie_params($lifetime) 
// $lifetime is the seconds it will stay alive in seconds
Chacha102  2009-08-03 01:52:53
+1  A: 

The session information isn't necessarily destroyed when the browser window is closed. In PHP, for example, you can choose to save session information in a database and you could persist that after the browser is closed and the original session is ended.

Another way I can think of is setting a flag on the Users table stating that the user is still logged in. Perhaps the table has a field called logged_in and you can set that to true. After a certain amount of time [ie, you don't come back] it would be reset back to false.

Peter Spain  2009-08-03 01:57:49
If the browser window closes though, and the session cookie is set to expire at the end of the session, and the cookie is deleted when I close my browser(end the session), does this mean if I open up the site in a different browser the session should be resumed? if not, why not?
Joshxtothe4  2009-08-03 02:18:16
That may be how it works. They could store the session along with your IP address and the time which you logged in. When you come back, they can check your IP, match it with a username and the time from last login (NOTE: if greater than 1 hour, login required).You would however have to delete these field values when the user logs out.
mlevit  2009-08-03 02:21:42
The why does the session not resume in a different browser?
Joshxtothe4  2009-08-03 02:48:10
The browser information could also be stored along with all the other information.*Maybe you could contact IPB forum and find out how they store your 'Remember Me' details.*
mlevit  2009-08-03 03:56:43
Unfortunately I can't seek support from IPB. I don't think the browser information is being used though, as I used a different copy of the same browser. It must be some kind of storage.
Joshxtothe4  2009-08-03 06:32:42
+1  A: 

There are a few places to hide session information other than cookies.

a session key in the URL (http://example.com/app/234348738790/main)

a session key as a GET variable ( ?sess=257892345 )

a session key as a POST variable (input type='hidden')

store it in local storage in the browser

use javascript with any of the above to communicate the session info back to the server.

Colin Coghill  2009-08-03 03:10:11
The problem I have in understanding how IPB is working, is that none of these methods are working. Unless it is some custom hidden javascript storing state separately...
Joshxtothe4  2009-08-03 06:31:21
A: 

A sneaky alternative to cookies is the last-modified timestamp in an image or other object. The server can give you an image setting the timestamp to a value that identifies your session. When you load another page the browser sends an if-modified-since timestamp and gives you away.

Kristoffon  2009-08-03 03:26:58

related questions

Community system for programmers and domain specialists in a company.
C# Silverlight Forum component
String search
Good forums for giving technical presentations and receiving feedback?
MySQL Simple Forum
Algorithm to determine thread "hotness"
Forum software written in python
Why is your particular choice of forum software the right one for you?
Opinions sought: Is it better to do roll-your-own or ready-built forum software?
What's the optimal DB structure for a threaded forum?
Forum software for asp.net C#
What is the best ASP.NET Open Source forum?
Implementing Forum Live View with Ajax and JSP
What's the best, lightweight, most attractive PHP Forum application out there?
Is there an easy to integrate java-based forum software available
Who knows a good free open source forum in C#?
What is the best Forum software to Integrate with a Wordpress blog?
What $_POST[] do i need to post to a forum?
what are your favorite database-related discussion forums?
What's the best Java-based forum software?
Python Forums
Which Type of Input is Least Vulnerable to Attack?
Sharepoint third-party forum
Forum software recommendations (.net)
What is good forum software to add to an existing Rails application?