Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts

    Question What if user disables cookie ?

    Hi

    I have a website that uses cookies to store user login info in the user's browser. When the user returns to the website, the site checks for that cookie, fetches the user/pass, authenticates and logs them in.

    My question is what happens if the user has blocked cookies in their browser, is there still any possibility to authenticate them?

  • #2
    New Coder
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    34
    Thanks
    11
    Thanked 4 Times in 4 Posts
    If the user blocked cookies (I don't think many people do) then you can't authenticate them, at least with cookies or sessions (and I can't think of any other good ways to authenticate the user). The browser should let the person know that the site wants to store cookies though. There is also method you can use to check if the browser allows cookies and inform the user if they don't have cookies enabled. On the login page, set a "dummy" cookie with any value. Then when you process the login form, check if that cookie exists. If the cookie exists then continue on and log the user in. If not then ask the user to enable cookies and reload the page (to set the dummy cookie) and login again.

    Luckily, I don't think many users do disable cookies though.

  • Users who have thanked Cloud Ghost for this post:

    phantom007 (07-19-2012)

  • #3
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,389
    Thanks
    13
    Thanked 353 Times in 349 Posts
    for sessions there is the possibility to pass the session id as url parameter, though that is far from convenient and also opens possibilities to compromise a session.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • Users who have thanked Dormilich for this post:

    phantom007 (07-19-2012)

  • #4
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts
    How is a session id passing as url parameter relevant to fetching cookie value?

  • #5
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,389
    Thanks
    13
    Thanked 353 Times in 349 Posts
    it’s not relevant to fetching a cookie value, it’s relevant to sessions. that means, even if the user cannot auto-login (no cookies), once he *is* logged in, all necessary data can be saved in the session. but sessions themselves rely on cookies (normally) to pass the session id on each HTTP request. or in other words, if you have cookies disabled (and don’t use the url for the session id) you cannot log in (well technically you can for the first page after login, but no other page)
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • Users who have thanked Dormilich for this post:

    phantom007 (07-20-2012)

  • #6
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts
    so it means there is no way out or no alternate?

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    There is no alternative no.
    You have one of two options:
    1. Use a cookie
    2. Use the GET/POST and pass the querystring along.

    This is exactly the same behaviour as PHP sessions use.

  • Users who have thanked Fou-Lu for this post:

    phantom007 (07-20-2012)

  • #8
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts

    Question

    Quote Originally Posted by Fou-Lu View Post
    There is no alternative no.
    You have one of two options:
    1. Use a cookie
    2. Use the GET/POST and pass the querystring along.

    This is exactly the same behaviour as PHP sessions use.
    Thanks for the reply.

    In your point #2, what will be the flow / usecase ? could u pls explain?

  • #9
    New Coder
    Join Date
    Sep 2011
    Posts
    80
    Thanks
    0
    Thanked 13 Times in 12 Posts
    There is another way if used correctly, you can identify users using an ETag in the HTTP headers. The were originally designed for cache control but can be used to ID users (some could argue somewhat controversially).

    https://secure.wikimedia.org/wikiped...wiki/HTTP_ETag

    http://www.clickz.com/clickz/news/20...e-user-control

    http://www.adotas.com/2011/08/hulu-c...tracking-fray/

  • #10
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts
    Hi Aagain

    Thanks for ur inputs guys.

    One last question is, if cookies are disabled in a client's browser will it have any impact in the sessions?


    Thanks

  • #11
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    You mean using actual sessions?
    Yes, just as it would if you ran manual. The sessions work by first attempting to resolve the cookie, and then attempting to resolve the querystring for the session_name. If you cannot pass by cookie (detected by session_start as well), and you allow sessions without cookies, and you enable use_trans_sid, it will automatically append the session identifier to any links you have. This is the same logic you must follow.

    So effectively, if you cannot set a cookie you must append a session identifier to the links to persist in page by page passing. If that sid is not provided via a link and the cookies are off, its considered a new session.

    Also, don't use ETags. Companies are getting into a lot of trouble by using them.

  • Users who have thanked Fou-Lu for this post:

    phantom007 (07-20-2012)

  • #12
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts
    Love you for your answer Fou-Lu

  • #13
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts
    HI Again

    I was running the following code to see how sid gets appended to the test.php link but unfortunately it is not. can you please tell me how to make it work?

    Code:
    <?php
    ini_set('session.use_trans_sid', 1);
    session_start();
    
    if(isset($_SESSION['test'])){
    $_SESSION['test'] += 1;
    }else{
    $_SESSION['test'] = 1;
    }
    
    
    
    echo $_SESSION['test'];
    echo "<BR>";
    
    
    ?>
    <a href="test.php">test</a>

  • #14
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    use_trans_sid only has value if cookies are not required. Add:
    PHP Code:
    ini_set('session.use_only_cookies'0); 
    And it should work.

  • #15
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts
    I have modified the code but the sid is still not appended to the hyperlink.

    Herez the modified code

    Code:
    <?php
    //ini_set('session.use_trans_sid', 1);
    ini_set('session.use_only_cookies', 0);  
    session_start();
    
    
    
    if(isset($_SESSION['test'])){
    $_SESSION['test'] += 1;
    }else{
    $_SESSION['test'] = 1;
    }
    
    
    echo "<BR>";
    
    echo session_id();
    ?>
    
    <a href="test.php">test</a>


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •