Question

CodeIgniter (PHP) session and cookie problems

Asked by: hbkmunroe

Because of session problems in CodeIgniter (PHP) that were clogging up error logs, I followed a recommendation to set the cookie domain, which was previously unset. So this was changed from $config['cookie_domain'] = ''; to $config['cookie_domain'] = '.domainname.com'; With the leading . to cover all sub-domains.

Since this, anyone who visited the site was not able to do anything that required a session, so logging in etc. So I changed the setting back. However the problem still persists. I think that anyone who came to the site during the period of time that setting was active, have been given a cookie that won't let them login and it won't expire for another two weeks.

Is there anything I can do programatically to delete this cookie from those that required it deleted yet keep things the same for those who don't? It's hard to tell how many people may be affected and it seems I can't fix the problem without screwing it up for other users.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-06-07 at 04:17:34ID24470184
Tags

php

,

codeigniter

,

cookies

,

sessions

Topics

PHP Frameworks

,

PHP Scripting Language

,

Web Browsers

Participating Experts
2
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Unsetting a Cookie?
    On my main index for my site, it checks first to see if a cookie is set. If so, it grabs the value from the cookie, and forwards the user to their 'homepage' depending on a field in a table. I wrote a simple logout script (of which I don't really know what I'm doing). The ...
  2. php cookie
    I'm looking for a php example page that will randomly echo a number between 1 and 10 and store that number in a cookie. If the page is requested again it must display the same number as in the cookie.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Ray_PaseurPosted on 2009-06-08 at 08:33:18ID: 24573170

Can you please post a sample of the data in the good cookie and in the bad cookie?  I can show you how to clear the bad ones.  Best, ~Ray

 

by: gokce_yalcinPosted on 2009-06-09 at 08:13:34ID: 24581985

what is your key? you can paste the contents of config/session.php here so we can help you.

 

by: hbkmunroePosted on 2009-06-10 at 03:05:17ID: 24589516

Thanks for the replies.

The cookie data is encrypted - so I can't show you the data.

@gokce_yalcin: Not sure what you're referring to by key. In my config.php file I have the following

$config['cookie_prefix']      = '';
$config['cookie_domain']      = '';
$config['cookie_path']            = '/';

Hopefully this will help. Maybe you can point me in the direction of the key (I have no session.php file)

Thanks

 

by: gokce_yalcinPosted on 2009-06-10 at 03:26:34ID: 24589623

No, probably i got confused between Kohana and CI (they are pretty close, Kohana is a strict PHP5 fork of CI). seems it is generating the key random, whatever it is it should be destroyed by session_destroy(); , but CI might used additional cookies for domains.

You can take following steps:

1- get firefox
2- install firebug
3- install firecookie
4 -go to your site
5 -open firebug console, enable cookies
6- go to cookies section, note that cookies
7- redo "$config['cookie_domain'] = '.domainname.com';"
8- refresh the page, look additional cookies
9 - look changed cookies and new cookie names and note them.
10 - put 'setcookie ("notedcookie", "", time() - 3600);' to your global controller.
11 - restore your config

 

by: Ray_PaseurPosted on 2009-06-10 at 07:33:14ID: 24591918

"What in the world does this mean?

"The cookie data is encrypted - so I can't show you the data."

A cookie is nothing more than a text file.  You can use var_dump($_COOKIE)

Scripts may process cookies in a variety of ways, thus the cookie may control a lot of the user experience.  Changing the algorithms that create and consume them is fraught with risk, as you have shown.  If I were in this situation, I would try to (1) correct the cookie setting and testing routines and (2) change the name of the cookies.  The upshot of that is that all your clients cookies would be lost - once - and they would have to go through the login and preference-setting process again, but it would leave you with things straightened out at last.

I like gokce_yalcin's suggestions above about how to visualize the cookies.  Here is a script with some comments that will enable you to see how cookies work.  You can install it and watch them in action.

HTH, ~Ray

<?php // RAY_cookie_example.php
 
// RECEIVE FORM INPUT AND SET A COOKIE WITH THE NAME AND VALUES FROM THE FORM
// MAN PAGE: http://us.php.net/manual/en/function.setcookie.php
// TO SEE COOKIES IN FIREFOX, FOLLOW TOOLS => OPTIONS => PRIVACY => SHOW COOKIES
 
define('COOKIE_LIFE', 60*60*24); // A 24-HOUR DAY IN SECONDS ( = 86,400 )
 
if (!empty($_POST)) // IF THE FORM HAS BEEN POSTED
{
 
// TIDY UP THE POST INPUT - CLEAN AND NOT MOER THAN 16 BYTES
   $name = substr(clean_string($_POST["name"]),0,16);
   $data = substr(clean_string($_POST["data"]),0,16);
 
// BE SURE WE HAVE USEFUL INFORMATION
   if ( ($name == '') || ($data == '') ) die("MISSING INPUT: PLEASE <a href=\"$PHP_SELF\">TRY AGAIN</a>");
 
// CONSTRUCT THE COOKIE
// USE THIS TO MAKE COOKIE EXPIRE AT END OF BROWSER LIFE
   $cookie_expires	= 0;
 
// USE THIS TO MAKE A PERSISTENT COOKIE - DEFINE COOKIE_LIFE IN SECONDS - date('Z') IS UTC OFFSET IN SECONDS
   $cookie_expires	= time() + date('Z') + COOKIE_LIFE;
 
// CHOOSE THE COOKIE NAME AND VALUE
   $cookie_name 	= $name;
   $cookie_value	= $data;
 
// MAKE THE COOKIE AVAILABLE TO ALL DIRECTORY PATHS IN THE WWW ROOT
   $cookie_path	= '/';
 
// MAKE THE COOKIE AVAILABLE TO ALL SUBDOMAINS - DOMAIN NAME STARTS WITH DOT AND OMITS WWW (OR OTHER SUBDOMAINS).
   $x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
   $y = count($x);
   if ($y == 1) // MAYBE 'localhost'?
   {
      $cookie_domain = $x[0];
   } else // SOMETHING LIKE 'www2.atf70.whitehouse.gov'?
   {
// USE THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN
      $cookie_domain = '.' . $x[$y-2] . '.' . $x[$y-1];
   }
 
// MAKE THE COOKIE AVAILABLE TO HTTP, NOT JUST HTTPS
   $cookie_secure	= FALSE;
 
// HIDE COOKIE FROM JAVASCRIPT (PHP 5.2+)
   $cookie_http	= TRUE;
 
// SET THE COOKIE
   if (setcookie($cookie_name, $cookie_value, $cookie_expires, $cookie_path, $cookie_domain, $cookie_secure, $cookie_http))
   {
      echo "<br/>SUCCESS!  THE COOKIE HAS BEEN SET AND WILL BE AVAILABLE TO THE NEXT PAGE LOAD \n";
   } else {
      echo "<br/>FAILURE!  THE COOKIE WAS NOT SET AS EXPECTED \n";
   }
 
// AT THIS POINT, THE COOKIE HAS BEEN SET, BUT IT IS _NOT_ AVAILABLE TO THIS SCRIPT.  IT WILL BE AVAILABLE TO THE NEXT SCRIPT!
   echo '<pre>$_COOKIE CONTAINS '; var_dump($_COOKIE); echo "</pre>\n";
   echo '<pre>$_POST CONTAINS ';   var_dump($_POST);   echo "</pre>\n";
   echo "<br/>THE COOKIE HAS BEEN SET WITH THESE VALUES: \n";
   echo "<br/>COOKIE NAME: $cookie_name \n";
   echo "<br/>COOKIE VALUE: $cookie_value \n";
   echo "<br/>COOKIE EXPIRES: $cookie_expires ";
   echo " == " . date('r') . "\n";
   echo "<br/>COOKIE PATH: $cookie_path \n";
   echo "<br/>COOKIE DOMAIN: $cookie_domain \n";
   echo "<br/>COOKIE SECURE: "; var_dump($cookie_secure); echo " \n";
   echo "<br/>COOKIE HTTP: ";   var_dump($cookie_http);   echo " \n";
 
   echo "<br/>";
   echo "<br/>TO SEE THE COOKIES, IF ANY, <a href=\"$PHP_SELF\">CLICK HERE</a> \n";
   echo "<br/>";
}
 
// END OF SETTING THE COOKIE
?>
 
 
<form method="post">
COOKIE NAME: <input name="name" /><br/>
COOKIE DATA: <input name="data" /><br/>
<input type="submit" />
</form>
 
 
<?php
// SHOW THE COOKIE ARRAY, IF ANY
echo '<pre>$_COOKIE CONTAINS '; var_dump($_COOKIE); echo "</pre>\n";
 
 
// A FUNCTION TO FORCE A STRING TO CHARACTERS ONLY
function clean_string($string)
{
   return trim(ereg_replace('[^a-zA-Z0-9_]', '', $string));
}
?>

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:

Select allOpen in new window

 

by: gokce_yalcinPosted on 2009-06-10 at 08:40:30ID: 24592919

@Ray_Paseur: he is probably talking about content encrypted cookies, its used for client-side malware softwares, or some valueable data you gave to client, but didnt want to read by client. CI encrypting cookie data that set by PHP as an option. You can do something like that also with using hardened PHP patchs. This way JS can not process the cookie, which means no XSS cookie manuplation except session-key fixations.  If you open the file, all you will see is encrypted data (blowfished for example). you should decrypt to see the actual contents and to do that you would need the encryption key which its always kept at server side.

@hbkmunroe: You can get the cookie contents using CI cookies class. It should decrypt it on-the-fly.

 

by: hbkmunroePosted on 2009-06-10 at 16:25:26ID: 24597494

@Ray_Paseur: The cookie data is encrypted so it basically looks like this 0q2xiL9EhzKJC3fOKHNyIZG4ASafniNvHJDdDkbsGX4kRzNzhNu%2Fw etc.
But I don't think the content of the cookie is important

Basically what I would like to know is if it is possible to read a users cookie, determine if it has value for the domain set (it seems if one isn't set it defaults to a Host value) and if so, how to unset any cookies that match that.

Or if not, a valid method for unsetting cookies based purely on the value of the domain setting, not on the data.

 

by: Ray_PaseurPosted on 2009-06-10 at 18:06:41ID: 24597991

@gokce_yalcin: Makes sense.  I do not do that; instead I use a link back to a record in the data base that holds stateful information for the client.  The thinking is that a lost cookie that might get decrypted could be  more dangerous than a cookie that points to a row of the client-state table.  The state-table has other protections that resist false cookies.

Regarding this: "...the content of the cookie is important" because it is all you can get back from the browser.  

You can only set cookies for your own domain, subdomain and paths.  A cookie for ray.com cannot work for ray.org, but a cookie for www.ray.com can work for .ray.com, IF it was set correctly so that it is applicable to both the domain and the www subdomain.  You can have a cookie that works for sub.ray.com but not for www.ray.com, etc.  Lots of combinations.

The domain of an existing cookie is not present in a way that you can get to it on the server, unless you put this information into the cookie.  See below for a sample of the cookies on my browser at the moment.  $_COOKIE is just an associative array.  You put a lot of stuff into the setcookie() function, but that all goes to the client machine where it is under control of the browser.  

More information on what you can find in a cookie is available here:
http://us.php.net/manual/en/language.variables.external.php

More information on what it takes to set a cookie is available here (the path and domain have well-documented default values):
http://us.php.net/manual/en/function.setcookie.php

HTH, ~Ray

_COOKIE array(2) {
  ["__utma"]=>
  string(63) "98237186.1485489525395617300.1244471216.1244471216.1244471216.1"
  ["__utmz"]=>
  string(69) "98237186.1244471216.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"
}
                                              
1:
2:
3:
4:
5:
6:

Select allOpen in new window

 

by: hbkmunroePosted on 2009-09-23 at 09:54:59ID: 31589695

Thanks

 

by: Ray_PaseurPosted on 2009-09-23 at 10:37:02ID: 25405737

@hbkmunroe, Limited Member: Please explain why you marked this answer down to a "B" without any discussion of what you thought was the deficient part of the answer?  You are trying to do something that has been made (deliberately) architecturally impossible.  "It don't work that way" is the REAL answer.  We tried to give you advice for diagnostic purposes and workarounds, but you are up against a designed security wall when you try to get information that browsers and cookies are not supposed to give to the server.  Just because you want to do something that is impossible - that does not make it appropriate to give poor grade.

If you would like to refer to the grading guidelines, they are available here:
http://www.experts-exchange.com/help.jsp#hi403

If you would like to ask a moderator to reopen the question so you can correct the grade, and give gokce_yalcin some credit for considerable contribution to the work here, you can use the "Request Attention" button at the lower right of the original post.

Thanks for your consideration, ~Ray

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...