state of the art cookie checking?

sneakyimp

I'm modifying a very old registration form to show the user a warning if they do not permit my site to store cookies. I've looked around a bit and found this which looks helpful:

<?php
if (isset($_GET['cookiecheck'])) {
    if (isset($_COOKIE['testcookie'])) {
        print "Cookies are enabled";
    } else {
        print "Cookies are not enabled";
    }
} else {
    setcookie('testcookie', "testvalue");
    die(header("Location: " . $_SERVER['PHP_SELF'] . "?cookiecheck=1"));
}
?>

Using this might get complicated if I want to use this in a form which is already inspecting $_GET values to configure the form. The redirect is problematic.

I also found an approach that recommends using Javascript (which, like Cookies, might also be disabled):

function sess_check() {
  if (navigator.cookieEnabled) return true;

  // set and read cookie
  document.cookie = "cookietest=1";
  var ret = document.cookie.indexOf("cookietest=") != -1;

  // delete cookie
  document.cookie = "cookietest=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";

  return ret;
}

If Javascript is disabled, this is obviously not going t work at all. Furthermore, I wonder how widespread the navigator.cookieEnabled functionality might be implemented. Is IE going to cause problems about this too???

Can anyone suggest a nice approach to checking whether one's site can set/get cookies that can be implemented with a single page access? What's the latest approach for this?

NogDog

Well...from the server's standpoint, it seems to me that there's no way to tell on the first HTTP request to your server if the browser will actually accept a cookie and eventually return it on any subsequent requests -- until you actually get one of those subsequent requests. Therefore, without JavaScript, I can't think of a way to tell initially. My thinking is that maybe if no cookie is receive by the server, it could output something not too terribly annoying pointing out that cookies need to be enabled for full site functionality. Then on subsequent request that do, in fact, send the cookie back, you not display the message.

sneakyimp

Thanks for your response.

NogDog;11047081 wrote:
Well...from the server's standpoint, it seems to me that there's no way to tell on the first HTTP request to your server if the browser will actually accept a cookie and eventually return it on any subsequent requests -- until you actually get one of those subsequent requests. Therefore, without JavaScript, I can't think of a way to tell initially.

Well I'm wondering if I might use an IFRAME or something which could take care of checking for the cookie while leaving the main page alone so I don't have to pack up all the $_REQUEST data to send it along with the redirection requests. However, I'm wary because most people seem to really hate iframes.

NogDog;11047081 wrote:
My thinking is that maybe if no cookie is receive by the server, it could output something not too terribly annoying pointing out that cookies need to be enabled for full site functionality. Then on subsequent request that do, in fact, send the cookie back, you not display the message.

"If no cookie is received..." Let's think about that for a minute. Could I just check for this:

if (sizeof($_COOKIE) < 1) {
  // no cookies! show error message
}

This should show a message if the $_COOKIE array has no members. The problem of course is if someone goes directly to the script without visiting any other page first they will get the nasty cookie message despite the fact that cookies might in fact be working. I.e., you refresh the cookie page and the nasty message disappears.

NogDog

Ooh...you mentioned refresh, and made me think of this (have not tested, could be all wet):

Do your set cookie, session start, whatever, then
Check if the expected cookie(s) is there (whether your count method or just look for a specific cookie (session cookie?)
If it's not there, send a refresh header() and/or meta refresh to the same page, but with something in the query string to indicate it's a cookie check
If you see from $_GET that it's a cookie check, but there is no cookie, then display your "must enable cookies" message, but don't do the refresh (so we don't get into an infinite refresh loop)

Not crazy about it, and there may be some holes I haven't thought of, but maybe....?

NogDog

One downside I see to my preceding "brainstorm" would be if a user bookmarked a URL with the cookie check indicator, or a search engine indexed it. 🙁

sneakyimp

NogDog;11047087 wrote:
One downside I see to my preceding "brainstorm" would be if a user bookmarked a URL with the cookie check indicator, or a search engine indexed it. 🙁

Yet another wrinkle. I'm increasingly of the opinion that a cookie-checking page should ONLY check for cookies and do nothing else at all. It could be accessed/displayed in three ways:
as an intermediate page before one enters session-enabled area of a website (i.e., only send users to session area by way of cookie-checking page first)
in an iframe. everybody hates iframes yes but this requires no Javascript and would eliminate the need for us to preserve any $REQUEST vars that might have been passed into the primary page
* via AJAX. sadly, this requires Javascript which I'm not crazy about. On the other hand, it might also keep things nice and tidy on the primary page, eliminating the need to juggle any query string or $POST data that might have been supplied.

NogDog wrote:
1. Do your set cookie, session start, whatever, then
2. Check if the expected cookie(s) is there (whether your count method or just look for a specific cookie (session cookie?)
3. If it's not there, send a refresh header() and/or meta refresh to the same page, but with something in the query string to indicate it's a cookie check
4. If you see from $_GET that it's a cookie check, but there is no cookie, then display your "must enable cookies" message, but don't do the refresh (so we don't get into an infinite refresh loop)

I concocted a little test script to check on this idea:

<?php
session_start();
var_dump($_COOKIE);
?>

A first visit to this page yields an empty $_COOKIE array:

array(0) { }

The second visit shows the cookie:

array(1) { ["PHPSESSID"]=> string(26) "47cath2vaaictkgjjgepm3mhn6" }

In other words, session_start may create a cookie, but it does not immediately redefine the $COOKIE array. This stands to reason, as $COOKIE should only contain cookies passed to the server by the browser and there were none in my case.

This sshows the exact same behavior:

<?php
setcookie("MYCOOKIE", "my cookie's value");
var_dump($_COOKIE);
?>

First access, no cookie, second access, cookie is there.

I'm starting to think it would be nice to have some function, insist_on_cookie(), which would
If a certain $COOKIE["COOKIES_ARE_ENABLED"] = TRUE was found, would do nothing
take a snapshot of any query string parameters, $GET, $REQUEST, whatever
would set a cookie $COOKIE["COOKIES_ARE_ENABLED"] = TRUE
redirect to cookie-check.php, taking care to pass along the snapshot

the script cookie-check.php would:
check to see if $_COOKIE["COOKIES_ARE_ENABLED"] = TRUE
if it exists and is TRUE, simply redirect back to whatever page is captured in the snapshot (or the some default page if no such snapshot exists)
* if the cookie value is not found or is false or whatever, it would halt and display YOU MUST ENABLE COOKIES TO PROCEED and show a TRY AGAIN link which would let the user go back to the page stored in the snapshot

thoughts?

Or might a cookie have been set previously

NogDog

Something I saw earlier today while looking around about this (while eating lunch 🙂 ) suggested using potentially two redirects, something like...

set the cookie header
if cookie does not exist
    header redirect to self with flag indicating checking for cookie
    if cookie still does not exist
        redirect to a "must enable cookies page"
        maybe that page has link back to original page?
    else
        redirect back to original page with no "checking cookie" flag
    endif
endif

// at this point should be good to go

sneakyimp

I think part of the issue I was having is that my registration page is quite complex in various ways -- in particular, it was expecting $GET values specified via query string that it wanted to put into session to remember after a multi-page registration process. For the registration page to try and set cookies and query string values and redirect back and forth meant that the original $GET values would get lost. I came up with this scheme.

In my registration page (or any page that wants to insist on cookies working and therefore sessions) you can do this:

// Check if cookies are turned on
if (!isset($_COOKIE["MY_COOKIE_TEST"]) && ($_REQUEST["skip_cookie_check"] != 1)) {
	// set the cookie
	setcookie("MY_COOKIE_TEST", TRUE, time() + 3600, $cookie_path, $cookie_domain);
	// remember what url has been requested
	$return = $_SERVER["REQUEST_URI"];
	// redirect to cookie test page
	$url = "/cookie-check.php?return=" . base64_encode($return);
	header("location: " . $url);
	exit;
}

This bit of code will stop you if either the special cookie has not been set -- unless you explicitly send a $_REQUEST value that tells it to skip the cookie check.

Then in the cookie-check.php page, we have this:

<?php

// check for any url we need to return to, otherwise assume the home page
$redirect_url = (isset($_GET["return"]) ? base64_decode($_GET["return"]) : "/");
if (!$redirect_url) {
	$redirect_url = "/";
}

session_start();
if (isset($_COOKIE["MY_COOKIE_TEST"])) {
	// cookies work! redirect back to the specified page.
	header("location: " . $redirect_url);
	exit;
}

// if the cookie is not there, a stark warning
?>
<html>
<body><h1>YOU NEED COOKIES, BRO!</h1>
<p>Turn cookies on and <a href="<?php echo $redirect_url; ?>">click here</a> to try again.</body>
</html>

There's nothing especially magical about this approach, but it doesn't require Javascript and can be quite convenient if you have a page that is accepting $_GET params and you want to make sure cookies are enabled. The cookie warning page also gives you a link to try the original requested url again once you turn the cookies on. NOTE: this will not handle situations where you are POSTing data.