cookies

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
hobojjr
Registered User
Posts: 3
Joined: Fri Apr 06, 2007 10:51 pm

cookies

Post by hobojjr »

Why do you use cookies instead of php sessions?

How much do I have to modify to convert it to sessions?

User avatar
Handyman
Registered User
Posts: 522
Joined: Thu Feb 03, 2005 5:09 am
Location: Where no man has gone before!
Contact:

Re: cookies

Post by Handyman »

You can use php sessions if you just turn off cookies in your browser :)
They have it set up to use both ways.
My phpBB3 Mods || My Mod Queue
Search Engine Friendly (SEO) URLs || Profile link on Avatar and/or Username || AJAX Chat
Display Posts Anywhere || CashMod || AJAX Quick Edit || AJAX Quick Reply

Image

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 367
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: cookies

Post by Paul »

Handyman wrote: You can use php sessions if you just turn off cookies in your browser :)
They have it set up to use both ways.

They never use php session, they use a custom build session system, without php sessions (So $_SESSION, session_start() etc).

User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: cookies

Post by Nicholas the Italian »

paulus wrote: They never use php session, they use a custom build session system, without php sessions (So $_SESSION, session_start() etc).

Out of curiosity, why?

Cap'n Refsmmat
Registered User
Posts: 219
Joined: Tue Jan 25, 2005 11:31 pm

Re: cookies

Post by Cap'n Refsmmat »

Presumably so they can customize it as they please.

The PHP session system stores sessions in files on the local server, meaning it won't work across multiple-server setups for large forums.

code reader
Registered User
Posts: 653
Joined: Wed Sep 21, 2005 3:01 pm

Re: cookies

Post by code reader »

Nicholas the Italian wrote:
paulus wrote: They never use php session, they use a custom build session system, without php sessions (So $_SESSION, session_start() etc).

Out of curiosity, why?
mainly because php sessions are generally considered to constitute a security risk/hole.
php stores a file per each session, by default in the /tmp directory, so when using shared hosts, it is possible for one application (ie another customer sharing the host) to access those files, and so they can theoretically access the sessions, presumably hijacking it and thus able to impose as a logged-in user.

i don't know of any actual attack that works this way, because you'll have to be hosted by the hosting service on the same host as your intended target, but the mechanism of how to launch such an attack is well understood.

many hosts have changed this setting, so for each domain the session-related files are stored at a local directory (typically ~/tmp/, ie a "private" temp directory under the user's home directory), but the fact that the default is in the "global" shared directory cause many to view php's built-in sessions as a security risk, and many/most well respected web application avoid using it (at least those applications that might find themselves installed in a shared-hosting environment).

since phpbb can't have any control over the setting of every server's php, they chose to avoid using php sessions altogether.

hobojjr
Registered User
Posts: 3
Joined: Fri Apr 06, 2007 10:51 pm

Re: cookies

Post by hobojjr »

Ok, sounds good.

But, then it doesn't work if a user disables cookies?

The reason why I'm asking is because I want to integrate some of my own into the BB. I use php sessions for my things and would like to know more about how I can convert it to cookies ( now that I know why BB uses them ).

User avatar
jojobarjo32
Registered User
Posts: 164
Joined: Wed Jun 22, 2005 7:38 pm
Location: France

Re: cookies

Post by jojobarjo32 »

As far as I know, cookies are only used to store the session id and to make possible to log in automatically (autologin). phpBB works even if you disable cookies (but if you do so it may be annoying to log in each time and to not have the "topic & forum tracking feature" [topics & posts not read] if the forum has not enabled server-side topic marking...) because all (most) links have the "sid" parameter.
If you want to use phpBB's session system, you'll just have to re-use sessions data stored in the database and then to add the "sid" in your links ;)

User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: cookies

Post by Nicholas the Italian »

Cap'n Refsmmat wrote: Presumably so they can customize it as they please.
...
code reader wrote: mainly because php sessions are generally considered to constitute a security risk/hole.
...

It makes sense, thanks for your explanations.

User avatar
Handyman
Registered User
Posts: 522
Joined: Thu Feb 03, 2005 5:09 am
Location: Where no man has gone before!
Contact:

Re: cookies

Post by Handyman »

actually, to use the phpbb sessions, you wouldn't have to do any session re-writing… you could just add the basic 6 lines of code to every page… then you would be using their session system… cookies and/or SID's.
So it would be fairly easy to use with the rest of your site.
My phpBB3 Mods || My Mod Queue
Search Engine Friendly (SEO) URLs || Profile link on Avatar and/or Username || AJAX Chat
Display Posts Anywhere || CashMod || AJAX Quick Edit || AJAX Quick Reply

Image

Post Reply