PHP cookies

[PaulStat]

Hi Guys,

I'm trying to implement cookies into my website but it doesn't seem to recognise that I've set the cookie and gives me a new one everytime.

<?php
   if(isset($_COOKIE['shoppingcart_id'])) {
      echo "COOKIE IS SET";
   }
   else {
      echo "COOKIE IS NOT SET";
      
      //generate a random 10 character code
      $shoppingcart_id = generateId();

     //get the current date
     $today = date("Y-m-d");

     //get the users ip
     $user_ip = $_SERVER['REMOTE_ADDR'];

     //set the lifetime of the cookie
     $expire = time()+(60*60*24*7);

     //set the domain for which the cookie is valid
     $dom = $_SERVER['SERVER_NAME'];
     if($dom[0] == "w"){
        //truncate the first three characters
	$domain = substr($dom, 3);
     }
     else {
        //add point
	$domain = ".".$dom;
     }

     //finally send the cookie to the user agent
     setcookie("shoppingcart_id", $shoppingcart_id, $expire, "/", $domain)
   }

It always goes via the not set route?

 

[Pho]

Why not use sessions and let that handle setting the cookies?

 

[PaulStat]

sorry not sure what you mean, can you give an example?

Edit: Hmm just found that If upload the same code to my webserver and run it from there it works?!?!?!

 

[Pho]

Cookies are generally unsecure so shouldn't be used, especially for a shopping cart. Sessions are actually easier to use, more secure, and look better. Your code above could be condensed into this (untested):

<?php
session_start();

if(isset($_SESSION['shoppingcart_id'])) {
  echo "COOKIE IS SET";
}
else {
  echo "COOKIE IS NOT SET";
  
  //generate a random 10 character code
  $_SESSION['shoppingcart_id'] = generateId();
}

However, you might not even need that. Sessions generate their own IDs automatically (which is actually set via a cookie automatically on users' browsers so that data can be retrieved between pages):

<?php
session_start();
echo session_id();

A new ID is generated for each new session (each new user, or after the session has timed out)

 

[PaulStat]

Right ok, what counts as a session though? If a user puts something in their cart, browses away from the site briefly and then comes back will the session still be valid?

 

[Pho]

It defaults to 40 minutes so you'll be fine. You can configure it in php.ini or via runtime configuration. session.gc_maxlifetime it is I think.

 

[Tetsujin]

Cookies are generally unsecure so shouldn't be used, especially for a shopping cart. Sessions are actually easier to use, more secure, and look better.

Apart from where sessions are cookies. As long as you weren't planning on storing actual customer data in the cookie, there's no difference to doing it yourself (other than the "doing it yourself" part)

 

[robmiller]

Apart from where sessions are cookies.

Well yeah, but the cookie only stores the session ID, not any actual data—so the user (or an attacker) can't modify the data.

 

[Ruddles]

Well yeah, but the cookie only stores the session ID, not any actual data—so the user (or an attacker) can't modify the data.

However using XSS I could steal your session cookie id and impersonate you, changing everything in your session through the website. PHP 5.2 introduced support for the httponly flag that goes some way to helping this, but I don't believe there is any way to set the secure flag on them yet.

 

[Inquisitor]

However using XSS I could steal your session cookie id and impersonate you, changing everything in your session through the website. PHP 5.2 introduced support for the httponly flag that goes some way to helping this, but I don't believe there is any way to set the secure flag on them yet.

Well yeah, if the site is implemented poorly enough to allow XSS attacks.

 

[Ruddles]

Well yeah, if the site is implemented poorly enough to allow XSS attacks.

With sites like google, hsbc, myspace, facebook etc being hit in recent years it's not that unheard of (http://xssed.com/)

 

[kwerk]

It looks alright to me, are you sure generateId is actually returning something?