...

View Full Version : Cooooooooookie



werty37
06-16-2006, 08:23 AM
Hi
Ok, Here is the problem... php wont spit out the cookie value..
$cookieset[0]


IF (!isset($_COOKIE["EMITES"])) {

$cookieset["sid"] = md5(uniqid(rand(), true));
$cookieset["user"] = "Guest";
$cookieset["logintime"] = time();
$cookieset["ip"] = $_SERVER["REMOTE_ADDR"];
$cookieset["useragent"] = $_SERVER["HTTP_USER_AGENT"];
setcookie("EMITES", addslashes(serialize($cookieset)),time()+600,"/");

echo "Cookie placed: " . addslashes(serialize($cookieset));

} else {

$cookieset = unserialize(stripslashes($_COOKIE["EMITES"]));
echo "SessionID: " . $cookieset[0];

}


Thanks

Curtis D
06-16-2006, 09:54 AM
You do know you don't have to generate session IDs manually, right? If you want to store a session ID, you can use the session_id (http://php.net/session_id) function to return the session ID. You can also set it using that function. If you are trying to focus on security, and you don't have access to php.ini, you can keep your method, but should change from php.net's suggested method of using md5(uniqid(rand(), true)) to sha1(uniqid(rand(), true)), since the sha-1 hash has a hash sum size of 160 bits (where as md5's is 128).

Also, for your assoc. array not outputting properly, try using print_r (http://php.net/print_r) to see what's in $cookieset after unserializing.

werty37
06-17-2006, 04:54 AM
Hi

Thanks for your suggestion. I ll rewrite my code.
The serialize thing is working. When i check out the cookies i
see the values, but i am not able to retrieve the data
from the cokies


var_dump($cookieset[0]);
This prints NULL

Thanks in Advance

Curtis D
06-17-2006, 08:46 AM
I rewrote, and played around, slightly, w/ your code, and it seems to be working (running on PHP 5).

<?php
if (!isset($_COOKIE['EMITES'])) {
## Cookie options
// Just leave out expiry if you want session cookie; i.e.
// to terminate when browser closes
$expiry = time()+600;
$path = '/';

$cookieset['sid'] = sha1(uniqid(rand(), true));
$cookieset['user'] = 'Guest';
$cookieset['logintime'] = time();
$cookieset['ip'] = $_SERVER['REMOTE_ADDR'];
$cookieset['useragent'] = $_SERVER['HTTP_USER_AGENT'];
$serialize = addslashes(serialize($cookieset));
// Set the cookie
setcookie('EMITES', $serialize, $expiry, $path);

echo "<p>Cookie placed: $serialize</p>";
} else {
$cookie = unserialize(stripslashes($_COOKIE['EMITES']));
echo '<p>Unserialized cookie:</p><pre>';
print_r($cookie);
echo '</pre>';
echo "\n\n<p>Session ID: {$cookie['sid']}</p>";
}
?>I made some minor changes here and there, so you may want to look it over.

It looks like you are trying to re-create how PHP internally handles sessions. Are you familiar with sessions in PHP (http://php.net/sessions)? PHP will handle all of this for you internally. For example

<?php
session_start(); // Begin a stateful session
header('Cache-Control: private'); // IE cache issue fix

// These should only be set after they log in successfully
$_SESSION['sid'] = session_id();
$_SESSION['user'] = 'Guest';
$_SESSION['login_time'] = time();
?>Every page where session_start is at the top of the script will be able to have access to those values set in $_SESSION superglobal. This allows you to track data across your site. PHP can be set to automatically fall back to rewriting some of your URIs so that sessions will be maintained through the querystring, when session cookies fail.

werty37
06-17-2006, 09:03 AM
Hi
Did you say it worked?

My bad luck, it is not working for me... :o

The first part of the IF is working perfect.
It outputs the contents pucca:

Cookie placed: a:5:{s:3:\"sid\";s:40:\"edbd28d2271e90b485c6dcc186b926eea40a0ecb\";s:4:\"user\";s:5:\"Guest\";s:9:\"logintime\";i:1150531198;s:2:\"ip\";s:9:\"127.0.0.1\";s:9:\"useragent\";s:105:\"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060608 Ubuntu/dapper-security Firefox/1.5.0.4\";}

then when i refresh, this is what i get


Unserialized cookie:

Session ID:

NULL values...

I am using PHP Version 5.1.2

Is there any bugs with unserialize in this version?

Thanks

Curtis D
06-17-2006, 09:43 AM
None that I am aware of. I am using the same PHP version as you (on Win32).

I'm not sure what other code is in your script, as it should be working. Did you use the code I posted, or did you just change your own a little?

werty37
06-17-2006, 09:46 AM
I just copied the exact code and executed it...

werty37
06-17-2006, 09:55 AM
Hi
I tried to print what $cookie contains...



$cookie = unserialize(stripslashes($_COOKIE['EMITES']));
var_dump($cookie);


Prints:
bool(false)

Maybe im not able to access my cookie..

edit: oh, right! ELSE condition will not be evaluating to true in the first place if i an not able to access the cookie.
Thanks

werty37
06-17-2006, 07:57 PM
HI there,

I got it working somehow.
The problem was with stripslashes!!!
I was looking thru serialize manual in php.net when i read
this post



caveat: stripslashes!!!

if using
setcookie('hubba',serialize($data));
to set a cookie, you might want to check
$data(unserialize(stripslashes($_COOKIE['hubba']));
to retrieve them back!!!

this is, if unserialize fails. you can also print_r($_COOKIE) to look into what you've got back.

beats me how the slashes got there in the first place....


Here is the full working code...



<?php
if (!isset($_COOKIE['EMITES'])) {

$expiry = time()+600; $path = '/';

$cookieset['sid'] = sha1(uniqid(rand(), true));
$cookieset['user'] = 'Guest';
$cookieset['logintime'] = time();
$cookieset['ip'] = $_SERVER['REMOTE_ADDR'];
$cookieset['useragent'] = $_SERVER['HTTP_USER_AGENT'];
$serialize = (serialize($cookieset));
// Set the cookie
setcookie('EMITES', $serialize, $expiry, $path);
echo "<p>Cookie placed: $serialize</p>";
} else {
$cookie = unserialize(stripslashes($_COOKIE['EMITES']));

echo '<p>Unserialized cookie:</p><pre>';
print_r($cookie);
echo '</pre>';
echo "\n\n<p>Session ID: {$cookie['sid']}</p>";
}
?>


Thanks a lot

werty37
06-17-2006, 08:37 PM
Hi onceagain,

I was thinking of encrypting the cookie...
I wrote an encryption class code with help of people from this forum



<?php
class securedata
{
private
$key,
$iv;

public function __construct()
{
$this->key = 'Four score and twenty years ago';
$this->iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
}

public function encrypt($STR)
{
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $STR, MCRYPT_MODE_CBC, $this->iv);
}

public function decrypt($STR)
{
return mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, $STR, MCRYPT_MODE_CBC, $this->iv);
}
}

$secure = new securedata;
?>


I thought of encrypting the cookie this way....



<?php
require_once "securedata_inc.php";

if (!isset($_COOKIE['EMITES'])) {

$expiry = time()+600; $path = '/';

$cookieset['sid'] = md5(uniqid(rand(), true));
$cookieset['user'] = 'Guest';
$cookieset['logintime'] = time();
$cookieset['ip'] = $_SERVER['REMOTE_ADDR'];
$cookieset['useragent'] = $_SERVER['HTTP_USER_AGENT'];

// Set the cookie
setcookie('EMITES', $secure->encrypt(serialize($cookieset)), $expiry, $path);
echo "<p>Cookie placed: ";
} else {
$cookie = unserialize(stripslashes($secure->decrypt($_COOKIE['EMITES'])));
echo '<p>Unserialized cookie:</p><pre>';
print_r($cookie);
echo '</pre>';
echo "<p>Session ID: {$cookie['sid']}</p>";
echo "<p>Login Time: {$cookie['logintime']}</p>";
}
?>


When i run the script, an encrypted cookie is placed
but im not able to decrypt and get the values back.
There is no error printed but it just dosent return any cookie
values

Thanks onceagain

DELOCH
06-17-2006, 09:08 PM
this is probably another problem of difference between php5 and php4

php 4: ($name)
php 5: ($_GET['name']);


something like this? hope it helps :\

werty37
06-17-2006, 09:15 PM
I dont get it...
I am kinda dumb..
Please explain me whatever u wanted to say

thanks

edit: hehe, i saw your post "xampp", now i understand wht u were saying... actually im a beginner in php and i started with php5
so i really dont have to care too much about php4

Curtis D
06-17-2006, 11:21 PM
I haven't had need of the mcrypt lib myself, so you may want to consult with an expert! :p



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum