Ok, i'm confused. Can cookies be faked. <br /><br />I've been looking at a few php user login/authentification scripts, and I noticed once the cookie is placed on the clients computer the only check done is to check if the particular cookie variables have been set using the isset function. Since the script only checks if the variables are set and not the actual values, couldn't someone just manufacture a cookie with the required variables, lets say username,password, and expdate. At least with sessions, the only thing thats stored on yoru computer is the session id. I know i'm missing something, can someone please clarify this.<!--content-->
Yes, someone could indeed spoof a cookie. That's why you shouldn't store nothing more than the session id <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/wink.gif" style="vertical-align:middle" emoid="
" border="0" alt="wink.gif" /><br /><br />You ask the user for the username and password once. If she gets it right, you'll start a session (doesn't matter how the session will be tracked).<br /><br />What those scripts probably do is store some aditional information on the user's browser to add an extra security check. For example, it could store a cookie with the date and time the user logged in and store a session variable (on the server) with the same values and then, *after* checking the session stuff, it would check those values to see if they match.<br /><br />There are many many ways to do this. This was just a simple example that I thought of right now <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="
" border="0" alt="smile.gif" /><!--content-->
Ok...thanks..I'll use sessions instead.<!--content-->
Look at php.net for session_start() and other related comments and you'll see a goldmine of info on do's and don'ts of sessions and some ideas on how to prevent spoofing... if that's a concern of yours.<!--content-->
I think the best thing to use cookies for is dippin em in milk. But that's just me.<!--content-->
ok, does anyone know how to change the session.gc_maxlifetime value. <br /><br />How does the ini_set function work. I don't quite understand it. I tried doing this ini_set('session.gc_maxlifetime',604800). but that only changes the value for that particular script which doesn't make sense in my opinion. Isn't there a way to change this value permanantly?<!--content-->
What is it you're trying to do that other, existing authentication scripts aren't giving you?<!--content-->
Well, i'm not using any other scripts as refrences. I"m just doing it from scratch. Basically I created a user login page that uses sessions. I made an option where they can check to remember their info on the computer. So, I need to find a way to change that session.gc_maxlifetime value. I'm using a regular cookie just to store if they want to be remembered or not, and if they do I just start up another session and access the session variables. I'm just about to give up on sessions. I don't think sessions would a be a good idea for a login script. I'm thinking of just putting their password encrypted on a cookie and just querty the database each time to make sure its valid.<!--content-->
I think there is a session.gc_maxlifetime in php.ini that make a global change. However as these are shared servers I think it would have an effect on all of the sites on that server, though I could be wrong, so I dont think that change is an option.<br /><br />Have you looked at the script here, <a href="http://www.microcyb.com/?m=c&c=283" target="_blank">http://www.microcyb.com/?m=c&c=283</a>, to see if it would work for you? Unless that is essentially what you have done already.<!--content-->
that one is nasty...They are using deprecated php functions and its too basic. <br /><br />About the php.ini file i understand what u mean. But I was asking if anyone knew what the ini_set function does exactly since the value u change using that function is changed back to the default once the scirpt is done. I don't even see a purpose for it. <br /><br />Man, I was banging my head here for a few minutes on why these sessions were going wacko on me. Well, it turns out that its best to rename your session variables to something different than the variables ur using in your scirpts. They were being overwritten by other scripts in the page since registerglobals are on. grrrrr. I can't wait til the day where everyone starts writing code for disabled register_globals that way our hosts can have it disabled.<br /><br />Thanks for the replies,<br />Dave<!--content-->
Sorry I didn't reply sooner... <br /><br />What you are trying to do I have done as a custom script on one of my own sites.<br /><br />I strongly recommend you look at session info at php.net. I learned a LOT from that site even though I already knew the basics of sessions.<br /><br />My login code uses sessions unless they click 'Remember Me' and then it uses a cookie.<br /><br />As I recall, a session is going to be destroyed when the browser closes.<br /><br />So I think any sort of 'remember me' function will either have to use a cookie, or will be most easily done with a cookie.<!--content-->
Actually no, Sessions last on the server 1440 seconds (This is the default). On the client, the session cookie can last as long as you want it to last by using the <br />session_set_cookie_params() function. The problem is, i'm trying to change how long the session lasts on the server. I'm asking if its possible since these are shared servers and if someone could explain the purpose of the set_ini function and if it has any bearing for this particular script i'm trying to make <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/biggrin.gif" style="vertical-align:middle" emoid="
" border="0" alt="biggrin.gif" /> <br /><br />Thanks,<br />David<!--content-->
One Last Bump. <br /> <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/biggrin.gif" style="vertical-align:middle" emoid="" border="0" alt="biggrin.gif" /><!--content-->
Yes, someone could indeed spoof a cookie. That's why you shouldn't store nothing more than the session id <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/wink.gif" style="vertical-align:middle" emoid="
" border="0" alt="wink.gif" /><br /><br />You ask the user for the username and password once. If she gets it right, you'll start a session (doesn't matter how the session will be tracked).<br /><br />What those scripts probably do is store some aditional information on the user's browser to add an extra security check. For example, it could store a cookie with the date and time the user logged in and store a session variable (on the server) with the same values and then, *after* checking the session stuff, it would check those values to see if they match.<br /><br />There are many many ways to do this. This was just a simple example that I thought of right now <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="" border="0" alt="smile.gif" /><!--content-->Ok...thanks..I'll use sessions instead.<!--content-->
Look at php.net for session_start() and other related comments and you'll see a goldmine of info on do's and don'ts of sessions and some ideas on how to prevent spoofing... if that's a concern of yours.<!--content-->
I think the best thing to use cookies for is dippin em in milk. But that's just me.<!--content-->
ok, does anyone know how to change the session.gc_maxlifetime value. <br /><br />How does the ini_set function work. I don't quite understand it. I tried doing this ini_set('session.gc_maxlifetime',604800). but that only changes the value for that particular script which doesn't make sense in my opinion. Isn't there a way to change this value permanantly?<!--content-->
What is it you're trying to do that other, existing authentication scripts aren't giving you?<!--content-->
Well, i'm not using any other scripts as refrences. I"m just doing it from scratch. Basically I created a user login page that uses sessions. I made an option where they can check to remember their info on the computer. So, I need to find a way to change that session.gc_maxlifetime value. I'm using a regular cookie just to store if they want to be remembered or not, and if they do I just start up another session and access the session variables. I'm just about to give up on sessions. I don't think sessions would a be a good idea for a login script. I'm thinking of just putting their password encrypted on a cookie and just querty the database each time to make sure its valid.<!--content-->
I think there is a session.gc_maxlifetime in php.ini that make a global change. However as these are shared servers I think it would have an effect on all of the sites on that server, though I could be wrong, so I dont think that change is an option.<br /><br />Have you looked at the script here, <a href="http://www.microcyb.com/?m=c&c=283" target="_blank">http://www.microcyb.com/?m=c&c=283</a>, to see if it would work for you? Unless that is essentially what you have done already.<!--content-->
that one is nasty...They are using deprecated php functions and its too basic. <br /><br />About the php.ini file i understand what u mean. But I was asking if anyone knew what the ini_set function does exactly since the value u change using that function is changed back to the default once the scirpt is done. I don't even see a purpose for it. <br /><br />Man, I was banging my head here for a few minutes on why these sessions were going wacko on me. Well, it turns out that its best to rename your session variables to something different than the variables ur using in your scirpts. They were being overwritten by other scripts in the page since registerglobals are on. grrrrr. I can't wait til the day where everyone starts writing code for disabled register_globals that way our hosts can have it disabled.<br /><br />Thanks for the replies,<br />Dave<!--content-->
Sorry I didn't reply sooner... <br /><br />What you are trying to do I have done as a custom script on one of my own sites.<br /><br />I strongly recommend you look at session info at php.net. I learned a LOT from that site even though I already knew the basics of sessions.<br /><br />My login code uses sessions unless they click 'Remember Me' and then it uses a cookie.<br /><br />As I recall, a session is going to be destroyed when the browser closes.<br /><br />So I think any sort of 'remember me' function will either have to use a cookie, or will be most easily done with a cookie.<!--content-->
Actually no, Sessions last on the server 1440 seconds (This is the default). On the client, the session cookie can last as long as you want it to last by using the <br />session_set_cookie_params() function. The problem is, i'm trying to change how long the session lasts on the server. I'm asking if its possible since these are shared servers and if someone could explain the purpose of the set_ini function and if it has any bearing for this particular script i'm trying to make <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/biggrin.gif" style="vertical-align:middle" emoid="
" border="0" alt="biggrin.gif" /> <br /><br />Thanks,<br />David<!--content-->One Last Bump. <br /> <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/biggrin.gif" style="vertical-align:middle" emoid="
" border="0" alt="biggrin.gif" /><!--content-->