熊猫购彩

<meter id="pgsoe"></meter>

<code id="pgsoe"><u id="pgsoe"></u></code>

<acronym id="pgsoe"><video id="pgsoe"></video></acronym>
    1. <label id="pgsoe"></label>
  • <acronym id="pgsoe"><legend id="pgsoe"><blockquote id="pgsoe"></blockquote></legend></acronym>
      <label id="pgsoe"></label>
    <acronym id="pgsoe"></acronym>
  • <meter id="pgsoe"><u id="pgsoe"><option id="pgsoe"></option></u></meter>
    <output id="pgsoe"></output>
  • <var id="pgsoe"><ol id="pgsoe"></ol></var>

    Cookies

    PHP transparently supports HTTP cookies. Cookies are a mechanism for storing data in the remote browser and thus tracking or identifying return users. You can set cookies using the setcookie() or setrawcookie() function. Cookies are part of the HTTP header, so setcookie() must be called before any output is sent to the browser. This is the same limitation that header() has. You can use the output buffering functions to delay the script output until you have decided whether or not to set any cookies or send any headers.

    Any cookies sent to server from the client will automatically be included into a $_COOKIE auto-global array if variables_order contains "C". If you wish to assign multiple values to a single cookie, just add [] to the cookie name.

    On older PHP systems (5.3 or earlier), register_globals may be enabled, which may cause undesirable and insecure operation. If this is enabled, cookies will be registered as global variables.

    For more details, including notes on browser bugs, see the setcookie() and setrawcookie() function.

    add a note add a note

    User Contributed Notes 8 notes

    up
    4
    myfirstname at braincell dot cx
    16 years ago
    [Editor's note: Wilson's comment has been deleted since it didn't contain much useful information, but this note is preserved although its reference is lost]

    Just a general comment on Wilton's code snippet: It's generally considered very bad practice to store usernames and/or passwords in cookies, whether or not they're obsfucated.  Many spyware programs make a point of stealing cookie contents.

    A much better solution would be to either use the PHP built in session handler or create something similar using your own cookie-based session ID.  This session ID could be tied to the source IP address or can be timed out as required but since the ID can be expired separately from the authentication criteria the authentication itself is not compromised.

    Stuart Livings
    up
    -8
    abdelrahmanayman2003 at gmail dot com
    10 months ago
    It's important to set htttponly to true to prevent XSS Attacks.
    Also you could prevent user from changing the value to prevent getting another user data.
    up
    -27
    costamilam073 at gmail dot com
    1 year ago
    Isso:

    <?php
    unset($_COOKIE["cookie"]);
    ?>

    Apenas apaga um índice de uma variável, os cookies ainda v?o existir e continuar a ser enviados do servidor pro cliente e vice-versa.
    Assim como isso:

    <?php
    $_COOKIE
    ["cookie"] = "foo bar";
    ?>

    N?o cria ou altera o valor do cookie, apenas durante a execu??o atual, o valor que será passado do servidor pro cliente e vice-versa será o original

    Para excluir ou alterar deve SEMPRE sobre escrever o valor antigo com setcookie(), setrawcookie() ou header(), sendo este último n?o muito comum e dificilmente terá um uso justificável
    up
    -48
    bmorency at jbmlogic dot com
    14 years ago
    In response to the solution posted in the comment below, there are some practical issues with this solution that must be kept in mind and handled by your code. I developed an application using a similar "use-it-once" key to manage sessions and it worked great but we got some complaints about legitimate users getting logged out without reasons. Turns out the problem was not tentative highjacking, it was  either:

    A- Users double click on links or make 2 clicks very fast. The same key is sent for the 2 clicks because the new key from the first click didn't get to the browser on time for the second one but the session on the server did trash the key for the new one. Thus, the second click causes a termination of the session. (install the LiveHttpHeaders extension on firefox and look at the headers sent when you click twice very fast, you'll see the same cookie sent on both and the new cookie getting back from the server too late).

    B- For any given reason, the server experiences a slow down and the response with the new key (which has replaced the old one on the server) is not returned to the browser fast enough. The user gets tired of waiting and clicks somewhere else. He gets logged out because this second click send the old key which won't match the one you have on your server.

    Our solution was to set up a grace period where the old key was still valid (the current key and the previous key were both kept at all times, we used 15 seconds as a grace period where the old key could still be used). This has the drawback of increasing the window of time for a person to highjack the session but if you tie the validity of the old key to an IP address and/or user agent string, you still get pretty good session security with very very few undesired session termination.
    up
    -57
    Henry
    11 years ago
    It is better to note not to attach your cookies to and IP and block the IP if it is different as some people use Portable Browsers which will remember the cookies.  It is better to show a login screen instead if the IP does not correspond to the session cookie's IP.
    up
    -52
    mega-squall at caramail dot com
    15 years ago
    I found a solution for protecting session ID without tying them to client's IP. Each session ID gives access for only ONE querry. On the next querry, another session ID is generated and stored. If somebody hacks the cookie (or the session ID), the first one of the user and the pirate that will use the cookie will get the second disconnected, because the session ID has been used.

    If the user gets disconnected, he will reconnect : as my policy is not to have more than one session ID for each user (sessions entries have a UNIQUE key on the collomn in which is stored user login), every entries for that user gets wiped, a new session ID is generated and stored on users dirve : the pirate gets disconnected. This lets the pirate usually just a few seconds to act. The slower visitors are browsing, the longer is the time pirates get for hacking. Also, if users forget to explicitly end their sessions .... some of my users set timeout longer than 20 minutes !

    IMPORTANT NOTE : This disables the ability of using the back button if you send the session ID via POST or GET.
    up
    -55
    kalla_durga at gmail dot com
    14 years ago
    In response to the solution posted in the comment below, there are some practical issues with this solution that must be kept in mind and handled by your code. I developed an application using a similar "use-it-once" key to manage sessions and it worked great but we got some complaints about legitimate users getting logged out without reasons. Turns out the problem was not tentative highjacking, it was  either:

    A- Users double click on links or make 2 clicks very fast. The same key is sent for the 2 clicks because the new key from the first click didn't get to the browser on time for the second one but the session on the server did trash the key for the new one. Thus, the second click causes a termination of the session. (install the LiveHttpHeaders extension on firefox and look at the headers sent when you click twice very fast, you'll see the same cookie sent on both and the new cookie getting back from the server too late).

    B- For any given reason, the server experiences a slow down and the response with the new key (which has replaced the old one on the server) is not returned to the browser fast enough. The user gets tired of waiting and clicks somewhere else. He gets logged out because this second click send the old key which won't match the one you have on your server.

    Our solution was to set up a grace period where the old key was still valid (the current key and the previous key were both kept at all times, we used 15 seconds as a grace period where the old key could still be used). This has the drawback of increasing the window of time for a person to highjack the session but if you tie the validity of the old key to an IP address and/or user agent string, you still get pretty good session security with very very few undesired session termination.
    up
    -79
    ingen at stocken.ws
    13 years ago
    If you want a secured session not tied to the client IP you can use the valid-for-one-query method below, but to safeguard against a scenario where the legitimate user clicks twice, you can use a shutdown function (register_shutdown_function)*.

    It will check to see if the script terminated prematurely (connection_aborted), and reset the valid session ID. That way, it's still valid when the user makes the second request. If the script ends properly, the new session ID will be used instead.

    Now, since you can't set a cookie from the shutdown function (after output has been sent), the cookie should contain both the previous valid session ID and the new one. Then the server script will determine (on the next request) which one to use.

    :: Pseudo example:
    ::
    :: [Start of script:]
    ::
    :: 1. Get the session ID(s) from cookie
    :: 2. If one of the session ID's is still valid (that is, if there's a storage associated with it - in DB, file or whatever)
    ::  ____2.1. Open the session
    :: 3. Generate a new session ID
    :: 4. Save the new session ID with the one just used in cookie
    :: 5. Register shutdown function
    ::
    :: [End of script (shutdown function):]
    ::
    :: 1. If script ended prematurely
    :: ____1.1. Save session data using the old Session ID
    :: 2. Else
    :: ____2.1. Save session data using the new Session ID
    :: ____2.2. Make sure the old session ID is added to a list of ID's (used for the purpose described below)
    :: ____2.3. Trash the old session storage

    There's still the possibility of some deviant network sniffer catching the session cookie as it's sent to the client, and using it before the client gets the chance to. Thus, successfully hijacking the session.

    If an old session ID is used, we must assume the session has been hijacked. Then the client could be asked to input his/her password before data is sent back. Now, since we have to assume that only the legitimate user has the password we won't send back any data until a password is sent from one request.

    And finally, (as a sidenote) we could obscure the login details (if the client has support for javascript) by catching the form as it is sent, take the current timestamp and add it to the form in a dynamically generated hidden form object, replace the password field with a new password that is the MD5 (or similar) of the timestamp and the real password. On the serverside, the script will take the timestamp, look at the user's real password and make the proper MD5. If they match, good, if not, got him! (This will of course only work when we have a user with a session that's previously logged in, since we know what password (s)he's supposed to have.) If the user credentials are saved as md5(username+password), simply ask for both the username and password, md5 them and then md5 the timestamp and the user cred.

    ---

    If you need a javascript for md5: http://pajhome.org.uk/crypt/md5/md5src.html

    ---

    * You could use session_set_save_handler and make sure the session ID is generated in the open function. I haven't done that so I can't make any comments on it yet.
    To Top
    平阴| 羊山| 永顺| 峰峰| 德宏| 蕲春| 孪井滩| 隆化| 新建| 建水| 射洪| 台北市| 庄河| 龙口| 武夷山| 福鼎| 景谷| 海口| 丰县| 濉溪| 括苍山| 乐都| 长清| 富阳| 略阳| 宿松| 泾阳| 赤水| 兴城| 邱县| 民和| 玛沁| 镇江| 太仆寺旗| 丹寨| 南雄| 桃源| 南阳| 济南| 惠州| 静宁| 德宏| 新郑| 顺平| 靖安| 延边| 长清| 德令哈| 汝南| 南宁城区| 墨竹贡卡| 康平| 龙南| 郫县| 顺昌| 海宁| 淮阴县| 饶河| 宁国| 曹县| 引水船| 沽源| 泰和| 杜蒙| 栾川| 广昌| 三水| 云澳| 丰镇| 离石| 苏尼特右旗| 集贤| 察哈尔右翼前旗| 鸡西| 耿马| 奉化| 罗甸| 垣曲| 通榆| 白银| 桂林| 达日| 建始| 株洲县| 引水船| 乐东| 新巴尔虎左旗| 宜春| 庄河| 张北| 瓦房店| 阿坝| 彭山| 怀宁| 聂拉木| 东港| 赣州| 拐子湖| 繁峙| 武胜| 沈阳| 香河| 嘉鱼| 三都| 珙县| 达川| 南县| 大陈| 临颍| 崇信| 乌拉特后旗| 龙陵| 都昌| 塔城| 北流| 靖远| 武川| 巨野| 娄底| 通化| 克东| 青冈| 三江| 郎溪| 淮阴县| 龙胜| 长泰| 华家岭| 榕江| 巩义| 东兰| 和县| 葫芦岛| 雅布赖| 黄骅| 韦州| 云霄| 贵阳| 祁阳| 太仆寺旗| 韶关| 陵水| 巨鹿| 哈巴河| 渝北| 伊通| 乳源| 舞阳| 临淄| 硇洲| 平阳| 太仆寺旗| 云县| 巨野| 龙江| 吴县| 宜宾| 武隆| 鄱阳| 邵武| 凤冈| 沙县| 中山| 云县| 惠州| 嵊泗| 焦作| 高陵| 黄茅洲| 宁安| 眉山| 策勒| 托克逊| 香日德| 泽普| 广德| 嘉义| 会东| 北安| 大名| 那曲| 麦盖提| 德昌| 陆良| 明光| 齐河| 鄂托克前旗| 诏安| 巴仑台| 龙岩| 五营| 天山大西沟| 始兴| 台安| 淳化| 芜湖县| 香日德| 柳河| 临漳| 陇县| 胶州| 乐陵| 兴隆| 那坡| 普洱| 福州| 尉犁| 集贤| 天柱| 阳高| 峨眉山| 瓮安| 三原| 巴中| 通化| 遵化| 古县| 临沂| 鸡公山| 马公| 海宁| 滁州| 巩义| 莒县| 临夏| 朝克乌拉| 盐山| 贵港| 漳浦| 鄂托克前旗| 康县| 大洼| 察隅| 宜黄| 西沙| 涉县| 南京| 常州| 绥宁| 仙游| 常熟| 临颍| 临洮| 阿拉善右旗| 昆明| 濉溪| 山南| 延边| 桃江| 垣曲| 铜仁| 南和| 益阳| 中泉子| 勐腊| 扎赉特旗| 锦屏| 漠河| 河南| 牙克石| 南靖| 苍南| 开封| 千阳| 商都| 南海| 白银| 石景山| 昌乐| 元阳| 蒲城| 安义| 揭西| 易县| 洪泽| 神农架| 三原| 利津| 睢阳区| 南江| 威远| 萧山| 帕里| 承德县| 麦盖提| 察布查尔| 东阿| 朝阳| 托勒| 大姚| 乌兰乌苏| 锦州| 沈丘| 宜丰| 梁平| 西乌珠穆沁旗| 资阳| 呈贡| 新平| 峨边| 桂阳| 新昌| 涟水| 青岛| 永胜| 济源| 太原北郊| 保德| 和平| 蓬莱| 清远| 平顺| 盐都| 宁南| 舒兰| 乌海| 和田| 当阳| 凤凰| 花垣| 德化| 淮南| 淅川| 宁津| 保定| 连山| 郏县| 建昌| 新余| 陈巴尔虎旗| 武功| 临武| 准格尔旗| 涠洲岛| 邳州| 屏南| 河源| 镇雄| 镇源| 那坡| 金佛山| 灵邱| 武乡| 双辽| 瑞丽| 靖江| 锡林高勒| 巴林左旗| 容城| 桃源| 霍城| 昭觉| 抚宁| 太康| 平坝| 建昌| 洛南| 辉县| 三门峡| 宜宾县| 临江| 公馆| 剑川| 六枝| 开化| 平邑| 温泉| 永川| 五峰| 木兰| 康县| 成安| 石台| 上海| 菏泽| 通州| 云浮| 西盟| 玉林| 万州龙宝| 合水| 托勒| 伊宁县| 天池| 头道湖| 盖州| 湘阴| 固始| 丰镇| 彭泽| 新巴尔虎右旗| 察哈尔右翼中旗| 平陆| 长丰| 巴中| 乌审旗| 夏邑| 青田| 横峰| 枝江