tags:

views:

64

answers:

2
Q: 

PHP, We have sessions, and cookies....I love cookies, but they are blowing my mind right now.

Okay, I am not getting any response with my original wordy wordness...

Can you execute script before setting cookies, or must it be the absolute first thing?

Can you set cookies, and is it practical, with $_POST or $_GET

if not practical...or secure...what can I do to make sure my cookies are set securely (at least more secure than the method I am trying) without utilizing SSL

I appreciate the help.

Matt

+5  A: 

Setting cookies doesn't have to be the beginning of the script -- it just has to happen before you actually output any HTML (or http headers like a redirect).

Yes, it's very practical to read and set cookies along with $_POST and $_GET. You set cookies with the setcookie function in PHP, and read them from $_COOKIE.

In terms of security, you just need to think about a few things. For example, the user can see and modify what's contained in the cookies. Anyone upstream on the network could potentially do the same. The key is to not store data in the cookie that is supposed to be "secure".

philfreo  2010-05-28 04:20:38
You should also encrypt the cookie.
Keyo  2010-05-28 04:43:10
So I should basically setup a randomly generated "key" to be used with the account in order to establish the connection with the account...a key which would be reassigned each time the user loads a page...that would seem the most secure way.
Matt  2010-05-29 21:06:44
I'd recommend you accept an answer to this question (basic how do cookies work) and then if you have questions specifically about the best way to implement a login system with cookies, make a new question for that.
philfreo  2010-05-29 21:49:40
A: 

Use a tool like Firebug in Firefox and look at the Net tab, then expand the details section of each request to look at the request and response headers. This should help you get a better grip on the topic.

Cookies are just arbitrary text values send in the response header before the actual website is send. They tell the browser to save them somewhere and send them back to the originating domain in the request header for each subsequent request.

That means, they can be send together with any response header. POST is a request type and hence has nothing to do with setting cookies. The browser can send cookies to the server together with a POST request.

You can execute any script before setting cookies. But, since cookies need to be send in the header, you can't send them after you have started outputting the webpage.

There's only one way to set cookies, in the response header. The only secure way to set a cookie is to send it with the secure flag over SSL, which only means the cookie should not be send back to the server over non-SSL connections. That's it. Hence, think carefully about what information to put into cookies.

Sessions can solve this problem. A session just sends a meaningless token as cookie and uses this to retrieve data stored on the server.

deceze  2010-05-28 04:32:49

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases