Scribd
Upload
22 views18 pages

Understanding PHP Cookies Management

Cookies are small files stored on a user's computer that are sent back to the server each time the same computer requests a page. PHP's setcookie() function creates cookies by specifying a name, value, and expiration time. Cookies can be accessed on subsequent page loads using the cookie name as a variable or the $_COOKIE array. Cookies are used to track users across websites and maintain session state.

Uploaded by

ROHITSARAN.SACHIN
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
22 views18 pages

Understanding PHP Cookies Management

Cookies are small files stored on a user's computer that are sent back to the server each time the same computer requests a page. PHP's setcookie() function creates cookies by specifying a name, value, and expiration time. Cookies can be accessed on subsequent page loads using the cookie name as a variable or the $_COOKIE array. Cookies are used to track users across websites and maintain session state.

Uploaded by

ROHITSARAN.SACHIN
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Cookies

BY
Aravind,
Helvin M Geevar,
Sowmya,
Thamjeeth,
Saran
A cookie is a small file that the server embeds on the
user's computer. Each time the same computer requests
for a page with a browser, it will send the cookie too.
With PHP, you can both create and retrieve cookie values.
The setcookie() function is used to create cookies.
Note: The setcookie() function must appear BEFORE the
<html> tag.

setcookie(name, [value], [expire], [path], [domain], [secure]);

This sets a cookie named "uname" - that expires after ten hours.
<?php setcookie("uname", $name, time()+36000); ?>
<html> <body> …
 To access a cookie you just refer to the cookie name as a variable or
use $_COOKIE array
 Tip: Use the isset() function to find out if a cookie has been set.

<html> <body>
<?php
if (isset($uname))
echo "Welcome " . $uname . "!<br />";
else
echo "You are not logged in!<br />"; ?>
</body> </html>
 It will expire
or
 Cookies must be deleted with the same parameters as they
were set with. If the value argument is an empty string (""),
and all other arguments match a previous call to setcookie,
then the cookie with the specified name will be deleted from
the remote client.
 Session cookies
 Stored only for the duration of a web-session.
 Persistent cookies
 Remain stored until they expire.
 Server specifies optional domain.
 Cookie gets sent with all requests to this domain.
 Server specifies optional expiration date
 Server can specify “secure” option:
 Cookie is only sent when using SSL.
 Version 0 cookies (Netscape cookies)

Set-Cookie: name=value [;expires=date] [;path=path]


[;domain-name = value] [;secure]

Set-Cookie: customer=anil; expires Wednesday, 21-march-2018


[Link] GMT; domain=“[Link]”; path=/soe; secure
 Version 1 cookies (RFC 296)
 Less-used

 Provides a number of extensions


 Privacy risk
 Can be controlled by web-browser.
 Used to track consumer behavior.
 Harder, but possible to track an individual user.
 Security Risk
 Users can change cookies before continuing to browse.

 Counter-measure: strong encryption

 Users could swap / steal cookies.

 E.g. when used for authentication

 Session Hijacking

 Counter measure:

 Server needs to send a new cookie after every change in


state and verify that a request comes with a valid cookie.
 For example, by appending a MAC of session state to the
cookie after each change of state.
 Poor practices:
 Poor encryption of cookies.

 Web-based email uses a cookie for authentication.

 Cookie contains the user name encrypted by XOR-ing


with a secret string.
 Attacker can crack the cookie encryption by creating
fake accounts.
 Attacker can now craft a cookie useful for
authentication.
 Something similar happened to Hotmail and yahoo
early on.
 Poor practices:
 Poor encryption of cookies.

 Shopping cart encoded in cookie.

o Cookie contained shopping cart details in plain text.

o Attacker changed prices of items.

 Relying on cookie for authentication

 Cookie is sniffed from the net.

 Cookie is stolen by impersonating a web-site.


 Usedto track viewers of web-sites.
HTML page contains a request to download a
resource from a “counting” site.
The resource is so small that the viewer does not
notice the download.
Counting site receives the request and adds IP
address to its user database.
Examples:
<img src=“[Link] width=1
height=1 border=0>
<IMG WIDTH=1 HEIGHT=1 border=0
SRC=“[Link]
_RunOfSite_Any&db_acfr=4B31-C2FB-
10E2&event=reghome&group=register&time=1999.[Link] 6.37”>
Found by Privacy Foundation on Intuit’s home page for
[Link] several years ago.
 Canbe embedded in any html code.
User profiles written in html.

Email messages.

But only when read with a client that can display


HTML messages and with a computer connected
to the internet.
Usenet messages.

You might also like