...

View Full Version : What if user disables cookie ?



phantom007
07-19-2012, 05:40 AM
Hi

I have a website that uses cookies to store user login info in the user's browser. When the user returns to the website, the site checks for that cookie, fetches the user/pass, authenticates and logs them in.

My question is what happens if the user has blocked cookies in their browser, is there still any possibility to authenticate them?

Cloud Ghost
07-19-2012, 06:16 AM
If the user blocked cookies (I don't think many people do) then you can't authenticate them, at least with cookies or sessions (and I can't think of any other good ways to authenticate the user). The browser should let the person know that the site wants to store cookies though. There is also method you can use to check if the browser allows cookies and inform the user if they don't have cookies enabled. On the login page, set a "dummy" cookie with any value. Then when you process the login form, check if that cookie exists. If the cookie exists then continue on and log the user in. If not then ask the user to enable cookies and reload the page (to set the dummy cookie) and login again.

Luckily, I don't think many users do disable cookies though.

Dormilich
07-19-2012, 10:15 AM
for sessions there is the possibility to pass the session id as url parameter, though that is far from convenient and also opens possibilities to compromise a session.

phantom007
07-19-2012, 10:22 AM
How is a session id passing as url parameter relevant to fetching cookie value?

Dormilich
07-19-2012, 10:27 AM
it’s not relevant to fetching a cookie value, it’s relevant to sessions. that means, even if the user cannot auto-login (no cookies), once he *is* logged in, all necessary data can be saved in the session. but sessions themselves rely on cookies (normally) to pass the session id on each HTTP request. or in other words, if you have cookies disabled (and don’t use the url for the session id) you cannot log in (well technically you can for the first page after login, but no other page)

phantom007
07-19-2012, 07:18 PM
so it means there is no way out or no alternate?

Fou-Lu
07-19-2012, 07:20 PM
There is no alternative no.
You have one of two options:
1. Use a cookie
2. Use the GET/POST and pass the querystring along.

This is exactly the same behaviour as PHP sessions use.

phantom007
07-20-2012, 07:13 AM
There is no alternative no.
You have one of two options:
1. Use a cookie
2. Use the GET/POST and pass the querystring along.

This is exactly the same behaviour as PHP sessions use.

Thanks for the reply.

In your point #2, what will be the flow / usecase ? could u pls explain?

MarkR
07-20-2012, 12:38 PM
There is another way if used correctly, you can identify users using an ETag in the HTTP headers. The were originally designed for cache control but can be used to ID users (some could argue somewhat controversially).

https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_ETag

http://www.clickz.com/clickz/news/2098796/tracking-methods-evade-user-control

http://www.adotas.com/2011/08/hulu-caught-respawning-cookies-as-etags-enter-tracking-fray/

phantom007
07-20-2012, 05:55 PM
Hi Aagain

Thanks for ur inputs guys.

One last question is, if cookies are disabled in a client's browser will it have any impact in the sessions?


Thanks

Fou-Lu
07-20-2012, 07:17 PM
You mean using actual sessions?
Yes, just as it would if you ran manual. The sessions work by first attempting to resolve the cookie, and then attempting to resolve the querystring for the session_name. If you cannot pass by cookie (detected by session_start as well), and you allow sessions without cookies, and you enable use_trans_sid, it will automatically append the session identifier to any links you have. This is the same logic you must follow.

So effectively, if you cannot set a cookie you must append a session identifier to the links to persist in page by page passing. If that sid is not provided via a link and the cookies are off, its considered a new session.

Also, don't use ETags. Companies are getting into a lot of trouble by using them.

phantom007
07-20-2012, 08:05 PM
Love you for your answer Fou-Lu

phantom007
08-10-2012, 11:47 AM
HI Again

I was running the following code to see how sid gets appended to the test.php link but unfortunately it is not. can you please tell me how to make it work?



<?php
ini_set('session.use_trans_sid', 1);
session_start();

if(isset($_SESSION['test'])){
$_SESSION['test'] += 1;
}else{
$_SESSION['test'] = 1;
}



echo $_SESSION['test'];
echo "<BR>";


?>
<a href="test.php">test</a>

Fou-Lu
08-10-2012, 03:52 PM
use_trans_sid only has value if cookies are not required. Add:


ini_set('session.use_only_cookies', 0);

And it should work.

phantom007
08-10-2012, 04:01 PM
I have modified the code but the sid is still not appended to the hyperlink.

Herez the modified code



<?php
//ini_set('session.use_trans_sid', 1);
ini_set('session.use_only_cookies', 0);
session_start();



if(isset($_SESSION['test'])){
$_SESSION['test'] += 1;
}else{
$_SESSION['test'] = 1;
}


echo "<BR>";

echo session_id();
?>

<a href="test.php">test</a>

Fou-Lu
08-10-2012, 04:22 PM
The use_trans_sid has been commented out.

phantom007
08-10-2012, 07:03 PM
That did the trick.

Many thanks



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum