[nycphp-talk] Domains and cookies
zaunere at yahoo.com
Tue Feb 4 11:54:46 EST 2003
--- betenoir at echonyc.com wrote:
> >/** This begins to implement TCP style SYN/ACK seq behavior for session
> > define('pACK', substr(microtime(),2,8).time());
> > if( empty($_COOKIE['psyn']) )
> > define('pSYN', 0);
> > else
> > define('pSYN', $_COOKIE['psyn']);
> > header('Set-Cookie: psyn='.pACK.'; domain=.'.PARASITE_DOMAIN.';path=/');
> >I've also had better luck using header() and forming my Set-Cookie header
> >manually. Hopefully I didn't confuse things,
> In further testing we discovered that the problem is related to whether the
> "read cookie" page is called from its own window or from within a frameset
> at another domain. The former works, the latter doesn't.
I had a similar issue, albeit with the domains nyphp.org vs. www.nyphp.org.
By the way Chris, that's a great resource (http://www.w3.org/P3P/).
> If I understand your code correctly:
> pACK resolves to the cookie value and expiration?
> pSYN is the name of cookie?
pACK and pSYN are just timestamps, with pACK always containing the timestamp
of the request (which should always be unique). Consider the browser
initializing a connection, and when it does, pSYN isn't set (a pseudo-syn
packet, named psyn as a cookie). But from that point on, the server responds
(ACKs) with pACK, which is stored. If the next pSYN doesn't match my stored
pACK in shared memory, we have a problem (hijack or something). Basically,
just one-time session IDs.
> PARASITE_DOMAIN is a variable that holds the doman parameter?
It's a constant I define() elsewhere, and if I remember correctly, I couldn't
use anything like $_SERVER["HTTP_HOST"] because of issues with nyphp.com vs
> And you are "creating" a Set-Cookie header rather than simply writing to a
Well as Chris pointed out, you don't really write to a cookie; you just write
the Set-Cookie: HTTP header and I've always had better luck manually creating
it with header() than letting setcookie() do it.
More information about the talk