Several, varied, questions

PHP
1

Several varied questions follow.
Please be descriptive :slight_smile:

  1. Is this the right format for my cookie?
setcookie("cookiename", $value, time()+50000, "/", ".localhost", false, true);

I want the cookie to be available on localhost and all subdomains of localhost, not be sent over a secure HTTPS connection, but to be sent via HTTPonly.

  1. Can someone tell me how the secure attribute works? the manual is a bit vague here, and says it is up to the programmer to make it work on the server side, but that’s all I could find. I am not sure if I turn it on if it does anything.

  2. Can there be only one session per site (where php just adds new variables into it on the server), or can there be multiple sessions?

  3. Does php have an upper limit as to how much data can be included in a session? (Example: $_SESSION[‘value’] = $value, with hundreds or thousands of other values stored like this.)

  4. Is there a security risk in echoing or printing the value of a cookie?
    echo $_COOKIE[‘cookiename’]; The user could change it, and I clean it before using it in a database, but I was wondering if there might be some other vulnerability here, such as inserting something like javascript code in a cookie name that might be echoed into the page.

  5. For mysql database queries - if there are a bunch of queries on a page, one right after another (with some code that works with the result of each query), do I need to call mysqli_close after each query in order to prevent the results of the previous query impacting the next one? I use the same setup, based on a function I wrote, to run any given query. (The function allows me to just work immediately with the fetched row based on a sql query). So many of the variables will be the same. $row[‘id’] might refer to one item in one table, but a different thing in another.

Some background: I am worried about taking a performance hit by closing and re-opening a database connection so many times for basic routines on every page.

Thanks for any help here with my laundry list :slight_smile: (I’m open to creating individual threads if one of these topics is bigger than anticipated. Suggestions welcome here.)

2

You really only need to close the db connection after you are sure your script won’t need it anymore - part of good house keeping. The output from a query will still be stored in the result set assigned to the query after the db is closed.

ps… too many questions in 1 hit. My attention span isn’t what it used to be :crazy:

3

I didn’t want to flood the forums. :slight_smile: Feel free to just answer just a one or two points and I can just keep the thread alive until they are all answered.

btw for 2), the secure attribute I am referring to is the one mentioned on the setcookie page in the php manual

4
  1. Is there a security risk in echoing or printing the value of a cookie?
    echo $_COOKIE[‘cookiename’]; The user could change it, and I clean it before using it in a database, but I was wondering if there might be some other vulnerability here, such as inserting something like javascript code in a cookie name that might be echoed into the page.

$_COOKIE is incoming data and should be treated with a great deal of suspicion.

You should do either/or or both of FIEO

a) Filter Input - filter it against what you expect it to be (if its supposed to be an integer then if it is not, abort)

Then, depending on the type of variable, eg a string:

b) Escape Output - prepare it for the next place it is heading ( db? then escape so that your db is protected from SQL injection, webpage? escape it so that you protect users from XSS attacks etc

5

  1. The secure attribute means the cookie can only be transmitted over a https connection. Interesting to note is that if you also set the httpOnly attribute, the cookie also cannot be read by any javascript in the page you’re serving, possibly adding a little extra security.

  2. It only really makes sense to have 1 session. Why do you want to have multiple session on one website?

  3. I’ve had sessions containing 10 MB of data, which should be more than enough to do whatever you need to do. The limits you might hit are memory and disk space: memory for unserializing the session, and disk for actually saving them. E.g. if you have a site with 10000 users online within 10 minutes of each other, and they each have a session that is 10 MB then you’re looking at +/- 100 GB of session storage, and you’ll prolly need to have around ∞ GB memory :wink: