...

View Full Version : Cookie code causing errors



sonny
06-24-2009, 07:04 AM
Hi

This code is very old about 2005, its a php module for a perl script tracking script, that I have been using for years. The problem I discovered lately
is that its causing error messages when used inside a forum page, when I visit with a cookie set, it works fine does not log me etc, but when a bot visits or i have no cookie It creates a error in the forum error log

( I see 2 types of errors in my forum error log )

1 Undefined index: HTTP_REFERER
and
2 Undefined index: stats_no_log // the cookie name



<?php

if ($_COOKIE['stats_no_log'] != "1") {
$STATSLogFile = '/home/content/cgi-bin/stats/log/log.txt';
$STATSTimeOffsetInHours = +3;

$STATSdomain = 'http://www.MyDomain.com';
$STATSuri = $_SERVER['REQUEST_URI'];
$STATSrad = $_SERVER['REMOTE_ADDR'];
$STATSREMOTE_HOST = @getHostByAddr($STATSrad);

$STATSFrom = $_SERVER['HTTP_REFERER'];

$STATSTo = $STATSdomain.$STATSuri;
$STATSHTTP_USER_AGENT = $_SERVER['HTTP_USER_AGENT'];

$STATSunixtime = time() + (3600*$STATSTimeOffsetInHours);
$STATSsecond = date("s", ($STATSunixtime))+0;
$STATSminute = date("i", ($STATSunixtime))+0;
$STATShour = date("G", ($STATSunixtime))+0;
$STATSday = date("j", ($STATSunixtime))+0;
$STATSmonth = date("n", ($STATSunixtime))-1;
$STATSyear = date("y", ($STATSunixtime))+100;
$STATSwday = date("w", ($STATSunixtime))+0;
$STATSyday = date("z", ($STATSunixtime))+0;

$STATSlogline =
"|$STATSREMOTE_HOST|$STATSrad|$STATSFrom|$STATSTo|$STATSHTTP_USER_AGENT|$STATSsecond|$STATSminute|$ST ATShour|$STATSday|$STATSmonth|$STATSyear|$STATSwday|$STATSyday|\n";

$STATSfile = fopen("$STATSLogFile", "a");
flock($STATSfile, 2);
fwrite($STATSfile, "$STATSlogline");
flock($STATSfile, 3);
fclose($STATSfile);
}

?>


I do not think it properly deals with a cookie, anyone see what might be
doing that

Thanks
Sonny

Fumigator
06-24-2009, 05:31 PM
First of all... "very old" code is COBOL shiz written in 1975, not a PHP script written in 2005 ;)

Second, those two errors are really just notices, not errors, but nonetheless, they indicate you are attempting to refer to an array index that doesn't exist. In the case of the cookie variable $_COOKIE['stats_no_log'], if you check first to see if it exists before you refer to it, that notice will go away:



if (isset($_COOKIE['stats_no_log']) && $_COOKIE['stats_no_log'] != "1") {


The other one, $_SERVER['HTTP_REFERER'], shouldn't really be counted on at all, since it may or may not ever be set by the user agent. From the PHP manual:


The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

You can do the same thing here to stop the notice from happening:



if (isset($_SERVER['HTTP_REFERER'])) {
$STATSFrom = $_SERVER['HTTP_REFERER'];
} else {
$STATSFrom = "User Agent did not provide this value";
}

masterofollies
06-24-2009, 06:37 PM
I highly recommend re-writing to sessions rather then cookies.

sonny
06-24-2009, 07:10 PM
I highly recommend re-writing to sessions rather then cookies.

Why? what is the advantages of that

Note the perl module version of this script uses my hostname to not log me
that is the best way I think, but do not know how to implement that in
the above PHP code.

Sonny

sonny
06-24-2009, 07:21 PM
Worked no more errors Thank you!

Replaced this line


if ($_COOKIE['stats_no_log'] != "1") {

With this line


if (isset($_COOKIE['stats_no_log']) && $_COOKIE['stats_no_log'] != "1") {



Replaced this line


$STATSFrom = $_SERVER['HTTP_REFERER'];

With


if (isset($_SERVER['HTTP_REFERER'])) {
$STATSFrom = $_SERVER['HTTP_REFERER'];
} else {
$STATSFrom = "User Agent did not provide this value";
}


Thanks again
Sonny

masterofollies
06-24-2009, 07:48 PM
To answer your question. Cookies are security risks, since information is actually stored in a file on your computer.

SESSIONS are encrypted and are online only, no files. Nothing is completely safe from risks, but the security is far greater, and in my opinion easier to code.

Cookies are from the old days, and sessions are what they are being replaced with.

sonny
06-24-2009, 08:14 PM
To answer your question. Cookies are security risks, since information is actually stored in a file on your computer.

SESSIONS are encrypted and are online only, no files. Nothing is completely safe from risks, but the security is far greater, and in my opinion easier to code.

Cookies are from the old days, and sessions are what they are being replaced with.

That cookie is only for the purpose of not logging my visits on my php pages,
on standard htm pages I use SSI includes that call the perl script, and that
excludes me from logging via my hostname

In that code above I posted is it very difficult to add a ignore hostname string array. like setting?

Thanks for weighing in
Sonny

masterofollies
06-24-2009, 09:00 PM
Just trying to be helpful. I don't know anything about Perl

tomws
06-24-2009, 10:32 PM
Cookies are security risks, since information is actually stored in a file on your computer.

SESSIONS are encrypted and are online only, no files. Nothing is completely safe from risks, but the security is far greater, and in my opinion easier to code.


This is incorrect, I think. Sessions are not encrypted unless handled over SSL connection (https).

Also, if I'm not mistaken, PHP sessions attempt to store the session id in a cookie by default. The SID can also be passed as a URL parameter, but that exposes information just like a cookie would.

masterofollies
06-24-2009, 11:03 PM
Sessions can be used with MD5 and SHA1 encryption. Yes if used with SSL they are encrypted. There is many different types of sessions. I use them on almost every website I build.

Sessions grew up from cookies as a way of storing data on the server side, because the inherent problem of storing anything sensitive on clients' machines is that they are able to tamper with it if they wish. In order to set up a unique identifier on the client, sessions still use a small cookie - this cookie simply holds a value that uniquely identifies the client to the server, and corresponds to a data file on the server.

Sessions are a step up from cookies.

tomws
06-25-2009, 03:34 PM
Sessions can be used with MD5 and SHA1 encryption. Yes if used with SSL they are encrypted. There is many different types of sessions. I use them on almost every website I build.

I'd be interested in reading more about this. Got links? php.net and Google are proving unhelpful with my search terms ("php sessions encryption").

sonny
06-27-2009, 06:17 PM
Second, those two errors are really just notices, not errors, but nonetheless, they indicate you are attempting to refer to an array index that doesn't exist. In the case of the cookie variable $_COOKIE['stats_no_log'], if you check first to see if it exists before you refer to it, that notice will go away:



if (isset($_COOKIE['stats_no_log']) && $_COOKIE['stats_no_log'] != "1") {




I just noticed Bots and anyone with cookies turned off, do not get logged with that line above, the logic does not seem right

Shouldn't the code log everyone first by default then have an else statement if the cookie
is present and set to stats_no_log=1, "then DO NOT log that hit"

Can you give me an example on how to do that at the top of the code I posted
and I think that will work.

Thank you so much for taking the time to help me
Sonny



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum