1 (edited by RNilsson 2003-11-06 09:06)

Topic: Cookie Cruncher

I've got some problems with my cookies.
The same code broke when moving from one host the the next host.
Here is the broken host phpinfo: http://www.nilsson-online.net/phpinfo.php
Here is the working host phpinfo: http://www.nonet.org/phpinfo.php

I have done no changes, and it appears that the cookie doesn't get set properly at the broken host.

I've tried a few cookie-domain combos but no luck.

I'm pretty clueless here...

EDIT: And it's the same result in FB 0.7 as well in IE6 so i tend to believe it's a code-related problem.

EDIT2: I've seen that sometimes it sets the cookie, but it doesn't save it. I'll look into when it do appear and not.

EDIT3: I'm using this code to set and update the cookie:

setcookie(COOKIE_NAME, $cookie_data, $cookie_expire, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);

And it seems it do get set, but with an expire-time that is in the past despite that i'm feeding time()+2500000 ~~ 1 month to it.
My session-vars appears to thave the correct expire-time.

Do i have to unset the cookie in order to update it?

And why does it in that case work on one host but not the other?

Re: Cookie Cruncher

Is the clock set?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Cookie Cruncher

one page I fiddled with I had to unset the cookie, before I could update it. Also note the order you send those in, IIRC they was reversed or something (the last set cookie info sent first, or something like that) ... I guess this is on Apache though... but check the docs to be sure of that

4 (edited by RNilsson 2003-11-06 21:23)

Re: Cookie Cruncher

This is on my webhotell that it's broken on.
If i print_r both the session and cookie vars, i can see that the cookie only gets the first expire-time, while the session-var get's the updates one on each page-load.

It's so wierd, the only thing i can think of that's different is the register global, but it shouldn't affect like that, right?

And the clock is set correct, but it wouldn't matter as every time-check is don on the server itself.

At least now when i know what the error is, it shouldn't be hard to figure a way around it.

Any suggestions is welcome tho smile

5 (edited by RNilsson 2003-11-06 22:01)

Re: Cookie Cruncher

Ok, more info...

The cookie does get set, but for no apparant reason, with the time of setting it and not the expire-time i'm giving it...
I'm using this code:
setcookie(COOKIE_NAME, $cookieData, 1070747601, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);

That is some time next month for expire...
Any ideas?


Btw, now i know why Cookies are bad for ya =/

Re: Cookie Cruncher

Could you perhaps link to the documents so that we can try it out from here?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

7 (edited by RNilsson 2003-11-07 10:03)

Re: Cookie Cruncher

Sure.
The site is here: http://www.nilsson-online.net/fh/
I've set up a test-account: Username [ test1 ], Password [ password ]
I've enabled debugoutput with print_r of session and cookie in the top of every page.
I'll paste the functions i'm using to login and verify users:

# memberLogin
function memberLogin()
{
    /*
        rosterID (int)
        memberLogin (text)
        memberPasswordMD5 (text)
        memberPasswordCrypt (text)
        memberPasswordExpire (int - time())
        memberStoreCookie (int - 0/1)
        memberIpMD5 (text)
        memberIpAllowChange (int - 0/1)
        memberCallsign (text)
        memberIsAdmin (int - 0/1)
    */

    DB_Connect();
    $SQL = "SELECT * FROM " . TABLE_MEMBERS . " WHERE memberLogin = '" . $_POST['username'] . "'";
    $Q = mysql_query($SQL);
    $R = mysql_fetch_object($Q);
    $N = mysql_num_rows($Q);
    DB_Disconnect();

    if ($N == "1")
    {
        if (md5($_POST['password']) == $R->memberPasswordMD5)
        {
            # Cookie-Expire, 30 days
            $cookieExpire = time() + 2592000;

            # SessionID, ID, EMail, Time, md5-hash
            $sessionID = md5($R->rosterID . $R->memberEMail . time() . $cookieExpire);

            # User IP, md5-hash
            $userIP = md5($_SERVER['REMOTE_ADDR']);

            # LastVisit
            $lastVisit = time();

            # Cookie-Serialize-MD5: rosterID, sessionID, userIP, lastvisit
            $cookieData = serialize(array($R->rosterID, $sessionID, $userIP, $lastVisit));

            # Store Cookie
            $storeCookie = ($_POST['storeCookie'] == 1) ? 1 : 0;

            # Store Data in DB
            DB_Connect();
            $SQL = "UPDATE " . TABLE_MEMBERS . " SET memberIpMD5 = '" . $userIP . "', memberSessionID = '" . $sessionID . "', memberLastVisit = '" . $lastVisit . "' WHERE rosterID = '" . $R->rosterID . "'";
            $Q = mysql_query($SQL);
            DB_Disconnect();

            # Set User Session : userid, sessionid, cookieexpire, userip, cookiedata, lastvisit
            setUserSession($R->rosterID, $sessionID, $cookieExpire, $userIP, $cookieData, $storeCookie, $lastVisit, $R->memberIsAdmin);

            # Check if user wants cookie stored
            if ($storeCookie == 1)
            {
                #setUserCookie($cookieData, $cookieExpire);
                setcookie(COOKIE_NAME, $cookieData, 1070747601, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
            }

            include(PAGE_HEAD);
            printMsgLarge("Login Success", $R->memberCallsign . ", you have been logged in.");
            include(PAGE_TAIL);
        }
        else
        {
            include(PAGE_HEAD);
            printMsgLarge("Login Error", "Username [ " . $_POST['username'] . " ] found.<br>Provided password does not match stored password.<br>Check spelling and caps.<br>Don't remeber your password? Get a new <a href=\"" . URL_BASE . "/member.lostPassword.php\">HERE</a>...");
            include(PAGE_TAIL);
        }
    }
    else
    {
        include(PAGE_HEAD);
        printMsgLarge("Login Error", "Username [ " . $_POST['username'] . " ] not found.<br>Check spelling.");
        include(PAGE_TAIL);
    }
}

# Verify User
function verifyUser()
{
    session_start();

    # If USER_VERIFIED is set, then the session appears to be valid and we verify it.
    if ($_SESSION['USER_VERIFIED'] == 1)
    {

        DB_Connect();
        $SQL = "SELECT * FROM " . TABLE_MEMBERS . " WHERE rosterID = '" . $_SESSION['USER_ID'] . "' AND memberSessionID = '" . $_SESSION['SESSION_ID'] . "'";
        $Q = mysql_query($SQL);
        $R = mysql_fetch_object($Q);
        $N = mysql_num_rows($Q);
        DB_Disconnect();

        if ($N == "1")
        {
            setUserSession($R->rosterID, $R->memberSessionID, time() + 2592000, $_SESSION['USER_IP'], $_SESSION['COOKIE_DATA'], $_SESSION['STORE_COOKIE'], time(), $R->memberIsAdmin);

            if ($_SESSION['STORE_COOKIE'] == 1)
            {
                #setUserCookie($_SESSION['COOKIE_DATA'], time() + 2592000);
                setcookie(COOKIE_NAME, $_SESSION['COOKIE_DATA'], 1070747601, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
            }

            # Store Data in DB
            DB_Connect();
            $SQL = "UPDATE " . TABLE_MEMBERS . " SET memberIpMD5 = '" . md5($_SERVER['REMOTE_ADDR']) . "', memberSessionID = '" . $R->memberSessionID . "', memberLastVisit = '" . time() . "' WHERE rosterID = '" . $R->rosterID . "'";
            $Q = mysql_query($SQL);
            DB_Disconnect();
        }
        else
        {
            removeUserSession();
            removeUserCookie();
        }
    }
    # Ops, no session found (maybe a returning user?), check for cookie & expiration
    elseif (isset($_COOKIE[COOKIE_NAME]))
    {
        $cookieData = unserialize($_COOKIE[COOKIE_NAME]);

        DB_Connect();
        $SQL = "SELECT * FROM " . TABLE_MEMBERS . " WHERE rosterID = '" . $cookieData[0] . "' AND memberSessionID = '" . $cookieData[1] . "'";
        $Q = mysql_query($SQL);
        $R = mysql_fetch_object($Q);
        $N = mysql_num_rows($Q);
        DB_Disconnect();

        if ($N == "1")
        {
            $cookieData     = serialize(array($R->rosterID, $R->memberSessionID, md5($_SERVER['REMOTE_ADDR']), time()));

            # Store Data in DB
            DB_Connect();
            $SQL = "UPDATE " . TABLE_MEMBERS . " SET memberIpMD5 = '" . md5($_SERVER['REMOTE_ADDR']) . "', memberSessionID = '" . $R->memberSessionID . "', memberLastVisit = '" . time() . "' WHERE rosterID = '" . $R->rosterID . "'";
            $Q = mysql_query($SQL);
            DB_Disconnect();

            setUserSession($R->rosterID, $R->memberSessionID, time() + 2592000, $userIP, $cookieData, 1, time(), $R->memberIsAdmin);
            #setUserCookie($cookieData, time() + 2592000);
            setcookie(COOKIE_NAME, $cookieData, 1070747601, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
        }
        else
        {
            removeUserSession();
            removeUserCookie();
        }
    }
    else
    {
        removeUserSession();
        removeUserCookie();
    }
}

verifyUser() is in the top of every page, before any output is started and it works as the session get's updated.
memberLogin() is only at the login-page.

function setUserSession($user_id, $session_id, $cookie_expire, $user_ip, $cookie_data, $store_cookie, $last_visit, $member_is_admin)
{
    session_start();
    $_SESSION['USER_ID']            = $user_id;
    $_SESSION['SESSION_ID']         = $session_id;
    $_SESSION['COOKIE_EXPIRE']      = $cookie_expire;
    $_SESSION['USER_IP']            = $user_ip;
    $_SESSION['COOKIE_DATA']        = $cookie_data;
    $_SESSION['STORE_COOKIE']       = $store_cookie;
    $_SESSION['LAST_VISIT']         = $last_visit;
    $_SESSION['MEMBER_IS_ADMIN']    = $member_is_admin;
    $_SESSION['USER_VERIFIED']  = 1;
}

function removeUserSession()
{
    session_start();
    unset($_SESSION['USER_ID']);
    unset($_SESSION['SESSION_ID']);
    unset($_SESSION['COOKIE_EXPIRE']);
    unset($_SESSION['USER_IP']);
    unset($_SESSION['COOKIE_DATA']);
    unset($_SESSION['STORE_COOKIE']);
    unset($_SESSION['LAST_VISIT']);
    unset($_SESSION['USER_VERIFIED']);
    unset($_SESSION['MEMBER_IS_ADMIN']);
    session_destroy();
}

function setUserCookie($cookie_data, $cookie_expire)
{
    setcookie(COOKIE_NAME, $cookie_data, $cookie_expire, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
}

function removeUserCookie()
{
    setcookie(COOKIE_NAME, "", time() - 3600, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
}

And those works with the session and cookie-stuff.
Altho i've hard-set the cookie-stuff in the verifyUser for debugging purposes...

Anything else you need to see?

Also, very much appreciated help from all, these things can be pain to get to work...

EDIT: And of course the cookie-config:
# Cookie Config
DEFINE("COOKIE_NAME", "fh_member_cookie");
DEFINE("COOKIE_PATH", "/fh");
DEFINE("COOKIE_DOMAIN", ".nilsson-online.net");
DEFINE("COOKIE_SECURE", "0");

Re: Cookie Cruncher

I can't access the page you linked to.

Edit: I now managed to access it, but it's really wierd. Sometimes it works and sometimes it just "hangs" and appears to never time out.

Edit2: I'm played around with it a bit, and it's really odd. If I log in, close the browsers and then return, it sets a cookie called fh_member_cookie and the contents of the cookie is only "deleted". Do you know why that might be?

Edit3: It only does the above when using Moz Firebird. Not in IE.

I'm sorry, but I have no clue what the hell is going on.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

9 (edited by RNilsson 2003-11-08 14:21)

Re: Cookie Cruncher

Sometimes the shoutbox is dragging it's heels on the page.
I know, i know, shoutbox sux, but not my design so smile

And yes, it's really that wierd.

I'm too using FB, and when i log in with storing the cookie, it sets the cookie with the expire-time = time of setting, hence it automaticlly get's deleted once the browser closes.

I have no idea why it's doing what it's doing actually.
I'll try to put the site online at my working host again after the weekend and then you can see if there is any differences etc.

EDIT: Oh, btw, thanks for trying to help on a hopeless problem as it seems smile

Re: Cookie Cruncher

Here's a link to the wokring host...
http://fh.nonet.org/fh/

11 (edited by RNilsson 2003-11-09 10:38)

Re: Cookie Cruncher

I've found these differences in php-configuration via phpinfo on the bad and the good host.
They don't mean much to me, but maybe for some of you.
I'll also make an attempt to install the PHPA into my box to see if it's there tha fault lies.

Differences found                       Not working Host                        Working Host
============================================================================================
allow_call_time_pass_reference          On                                      Off
browscap                                /usr/local/lib/browscap.ini             no value
disable_functions                       session_module_name                     no value
display_errors                          On                                      Off
error_log                               /usr/local/apache/var/log/php_error     no value
error_reporting                         7                                       2047
magic_quotes_gpc                        On                                      Off
output_buffering                        0                                       4096
                                        Has PHPA Installed                      Has not PHPA
register_argc_argv                      On                                      Off
register_globals                        On                                      Off
track_errors                            On                                      Off
variables_order                         no value                                GPCS

Re: Cookie Cruncher

The only thing I think can be related is variables_order. Try setting it back to it's default value.

http://se2.php.net/manual/en/configurat … bles-order

"Programming is like sex: one mistake and you have to support it for the rest of your life."

13 (edited by RNilsson 2003-11-09 12:37)

Re: Cookie Cruncher

I'll send a mail to the webhotell and ask if there is any perticular reason from them to have it like that.

the GPCS on my host obviously works, and i can try setting mine to no value and see if that interfears.

Is there a way to try and set runtime-variables other then what's default in the php.ini-config?

Is there a way to list all those that can be user-changed?

EDIT: Found 'session.use_trans_sid' to be On at the broken server, and Off at the working server.

Re: Cookie Cruncher

Well, there's ini_set(), but it won't work for stuff like variables_order since that affects stuff that happens before the script is executed.

"Programming is like sex: one mistake and you have to support it for the rest of your life."