damned cookies II

tanita

Hi, - maybe the first postmessage was to big..

its me again. I solved my login-pwd-problem with cookie,
first - I thought - it works fine. But I realized, that
it is possible to login again, without pasword. The cookie
expieres a half hour, this could explain that. I tryed to
'unset/delete' the cookie with exaples I found in php.net
and this mailinglist. Cookie ist set after succsessful
authentifikation.

Before I wanted to delete the old cookie, like this:

authPerson($user->getValue("uid"), $passwd);
setcookie("passwd");
setcookie("passwd",$passwd,time()+ (3600/2));

Cookiewarnigs are aktivated, after succsessful login with
'password=X3me8l', seccond login without password. What
happes is, by sending the login-form, first popupwindow gives
you the message 'passwd=deleted' - that seems ok. No pwd given,
even wrong pwd fits.. Because the second following popupwindow
has 'password=X3me8l' !?!? Thats why is it possible to login
without password... Just closing the last browserinstance
will deaktivate the cookie.

Any ideas? - please help..

Thanks,

Tanja

matto

I think your session never gets destroyed.
Have a look at the session_is_registered syntax, read the postings, eg:

Make sure to use...
session_is_registered("var");
and not...
session_is_registered($var);

furthermore, session_destroy takes no arguments.

that's a first suggestion ...

tanita

Hi,

the existing 'session_is_registered("user")'
contains not this password! In spite of ths, what has this to do with cookies? Arent they
saved in a client site file called 'cookies'?
I pares all of them. I wonder, after closing browser, trying to login with no pwd already works. Where does the server remind?!?

I changed session_is_registered("user") to
session_is_registered("user"). But unregistering this session does not unregister the cookie....

Tanja

matto

But unregistering this session does not unregister the cookie....

Yes, that's right, my idea was that once the session is established, it doesn't get destroyed because of the session_destroy fail, no matter if the password cookie has been deleted in the meantime or not.

But it's just an idea.

icaro

authPerson($user->getValue("uid"), $passwd);
setcookie("passwd");
setcookie("passwd",$passwd,time()+ (3600/2));

humm, the cookies are processed by browser in reverse order that you send in php.. (dont get it as a dogma, cause it changes every time, and i can't know if changes in damned browseres or in php 4.last compilations...

short answer: try setcookie("cookiename", "", time()-100); to unset a cookie (client browser will set the cookie to empty and delete the whole cookie in time()-100, or 1000 or whatever you want)

i used to get problems changing passwords or login on.. but not login out.

if it doesnt help, tell us what is your php version and with what browser/version are you testing..

tanita

Hi,

I tryed :

  authPerson($user->getValue("uid"), $passwd);
  setcookie("passwd", "", time()-100);
  setcookie("passwd",$passwd,time()+ (3600/2));

But this doesn't solve my problem. First opup says 'password=deleted', second 'password=5wG89x' again - it drives me crazy..

I use:
php version 4.0.6
webserver iPlanet 6.0
browser Netscape 4.78, IE 5.0, Opera 5.11

Tanja 🙁

marcel

I don't know,
maybe this will help you.
tray a commnad like:
`telnet your_comp 80' // telnet on port 80
after make a request:

################
GET /logout_page.php HTTP/1.1
[NEW_LINE]
[NEW_LINE]
###############

and look what your server returns.

I had have a similar problem with a Netscape- Enterprise WWW server.
(was somthing about configuration I suppose,
I don't have access on that machine... so ).

In any case, may pice of code was like:
<?php
...
setCookie(...); // delete cookie
header('Location: /');
?>

On test machine ( Apache) everything was fine.
online ... nope.

The problem: when Netsacpe_Enteprise get
'Location: /' was ingnoring the rest (including cookies).

so I had to change the code like:
<?php
...
setCookie(...); // delete cookie
?>
< META HTTP-EQUIV=Refresh CONTENT="0; URL=/" >

Hope this helps

tanita

I'll try tomorrow!!

In advanced thanks,

Tanja

marcel

(when you'll try) pls tell us what the server returns on GET request.

just curious.

icaro

authPerson($user->getValue("uid"), $passwd);
setcookie("passwd", "", time()-100);
setcookie("passwd",$passwd,time()+ (3600/2));

i dont understand why are you setting that cookie two times.. is it a procedure for logout? try to remove the second setcookie.

tanita

Hi,

yes, I tryed to 'unset' the cookie. I canceled managing my attention with cookies...
But there are still some questions left, because of this funny effects.

1.) Request take longer time.
2.) When the cookie was set/unset, I parsed
the hole disk to find out, where the enttry,
which was set within the cookie, allready is available.
- webserver runs under Linux, here I could't find the value, that was intended and ok.
- cient - win 2000, sometimes the entry in cookie was visible, sometimes not.
When I deleted the entry in cookie by myself, I expected the server has no rights of access
even if the last instance of the browser was closed.
But sometimes (as long as cookie is not expired) the server sets a cookie with the value of the deleted cookieentry... After searching the whole clientside disk, I just found it in profile.sys (Im not fit in Win2000, but it has to do with swap?), which you can't read and I didn't dare to delete this file. And I found it in netscape.hist. In which I also deleted all passworvalues. For me I was a silly thing to follow up that matter.

But few question are still left, I.)where gets the server the passwordvalue? II.) How can I cookies rearly delete, tha the server has no access?!?

Handling with sessions is much easier, there are more possibilities.

3.) Solution with cookies doesn't fit to our companys security agreements.

I managed it with sessions again, and within the session the password is crypted and decrypted when I need it for a bind. Secure transfer can be mangaged via https, so users don't havt to authentificate again.

Tanja