2

I'm having this weird problem where my cookies are getting lost in a weird way. I'm on wordpress, and it seems to hold the value fine while I click through pages, but when I insert a post on a page it loses the cookie.

The weirdest part is that it doesn't loose it the first time, but if I create two posts in a row, then it will loose it.

I've read a lot about refreshes, I took them all out, and it still does it. I also read about wordpress not liking cookies that don't have a domain specified, so my cookies look like this: 

setcookie("auth", $cyph, time()+60*60*24*60, '/', '.domain.com');

where $cyph is a serialized array ( base64_encode(serialize($cyph)); ). Like I said, it holds the value fine until I interact in some way with wordpress.

Any ideas?

Improve this question
2
  • i think its already answered in below link stackoverflow.com/questions/2535462/… Commented Mar 22, 2011 at 8:17
  • Are you sure you're not just taking 2 months between posts? :) Commented Mar 22, 2011 at 9:17

1 Answer 1

Reset to default
1

where $cyph is a serialized array ( base64_encode(serialize($cyph)); )

Yikes!

Never expose serialized data to end-users. Please reference this PDF presentation by PHP security expert Stefen Esser, starting on page 28. It is possible to manipulate serialized data in such a way that a poorly-designed class can allow for arbitrary code execution amongst other things.

It looks like you're trying to store an authentication token. Please store an appropriate hash instead.

With regard to the actual cookie setting program, what browser are you using? Modern browsers have the ability to inspect the HTTP headers for requests and responses using their developer tools. Using one of these tools, it should be easy to see if the cookie is being set properly. If you use Firefox, install Firebug. If you use Chrome, use the Wrench menu => Tools => Developer Tools.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

It is stored as a hash, why is it a problem to display an encrypted array as a serialized string? In firebug it shows the cookie just... gone.
The keys and values of the hash are encrypted... then the whole array is serialized, how could somebody possibly mess with that? Thanks for the link I'll read that.
Please read the document I linked for a list of many reasons why you should not expose serialized data to users. It's not the data that's the problem, it's the serialization. With regard to the cookie, can you please edit your original question with a copy/paste of the Set-Cookie header provided by your script and exposed by Firebug?
Thanks for your help on this Charles, I'll do that in a second. Re using hash vs serialize, my goal is to store an array of information (or object) in a cookie, for all the obvious benefits. What's the best method of doing that type of thing (I don't care about the method just the result). Thanks so much!
If you really have to do that instead of storing the information in a database and simply giving the user a unique identifier that you can use to look it up later, there are a few other options. Consider http_build_query, which you can pass your hash. It will return a query string that setcookie will properly encode. You can later use parse_str to get the data back as a hash. This will only work well for relatively simple arrays with minimal nesting.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.