Posted by ws Monkey on 12/17/85 11:55

totalstranger wrote:
> On or about 7/16/2006 8:55 PM, it came to pass that s a n j a y wrote:
>> romayankin@gmail.com wrote:
>>> I need to limit the session time for a particular user who is working
>>> on my site. I'd also like to extend the session time each time user
>>> performs some action (moves from one page to another). I've written the
>>> following code to accomplish this task
>>>
>>> /* Extending session */
>>> if(isset($_COOKIE['username'])) {
>>> setcookie ("username", $_POST['username'], time()+3600);
>>> }
>>>
>>> Variable $_COOKIE['username'] right after the authorization is
>>> completed.
>>> The problem is that I don't think this is a safe way to handle
>>> sessions. Perhaps I should use $_SESSION global array to store the
>>> username of the logged user?
>>>
>>
>> In my opinion, all you should store in a cookie is session-id.
>> Everything else, you store on server in either global session veriable
>> or in a database.
> Agreed.
> Set a session variable with php time() and do your own timeout.
>
> if (isset($_SESSION['$Server_time']) && (time() -
> $_SESSION['$Server_time']) > 600)
> $_SESSION = array(); //break this session and restart when over 10
> minutes
> $_SESSION['$Server_time'] = time(); //time in seconds

May want to consider adding a few sanity checks for this. Never trust
input from the user.
In your cookie, store two values. The username, and then a md5 of the
username plus a salt. When you read the cookie, compare the md5.

i.e.
$plaintext_cookie_value = $_COOKIE['username'];
$hashed_username_value = md5($_COOKIE['username'] . "some random salt");
if($_COOKIE['usernamehashed'] == $hashed_username_value){
// plaintext is valid
} else {
// Someone changed the username
}

Just make sure to use the same "some random salt" when you set the cookie.

-- Steve

[Back to original message]