I’m looking for the best way to store multiple values in a single cookie. (Not store multiple cookies). As far as my research goes, it looks like ASP is way ahead of PHP in this area.
I know it can be done by using a character as a string separator such as the pipe character (|). And this seems to be the most discussed method.
$cookie_data = ‘value1|value2|value3’;
setcookie(‘cookie_name’, $cookie_data);
And then retrieving the cookie data using explode() on the pipe character to put the individual values into an array for use. This is not a very convenient method and requires all the cookie values to be constructed in a single function.
I also considered using serialize() to store multiple values in a cookie and it does look like other people do that. However, PHP warns that it is a security risk for ungiven reasons.
Consider explode() to set one cookie with multiple names and values. It is not recommended to use serialize() for this purpose, because it can result in security holes.
Serialize would probably be the easiest method. I’m not sure what the potential security holes are or if I should be concerned about them.
According to the PHP documentation:
If you wish to assign multiple values to a single cookie, just add to the cookie name.
But that doesn’t seem to work so good. It creates multiple cookies. And naturally, the PHP documentation does not give any example code showing how to use this method, leaving it up to people to play guessing games. Is there a way to make that method work?
I’m just wondering what everyone else is doing. Using a string separator and exploding it is a pain. So, I’m hoping for a better method.
I don’t really understand why you think that ASP is ahead of PHP in this area, because all you can store in a cookie is some sort of textual data. It’s not like ASP can magically store something else than plain text inside of cookies.
And yes, of course that serializing data and storing it inside is a security risk since you can modify anything found within the cookie, thus leaving a potential security hole. That’s why you store as little as possible inside the cookie or information you think isn’t crucial to your applications’ work.
Why is it a problem if multiple cookies are created? You do know that most browsers limit the amount of data you can store inside a single cookie?
No, it is not correct that a site can have up to 20 cookies.
Implementation of cookie storage is based on browser, and RFC says this:
Practical user agent implementations have limits on the number and
size of cookies that they can store. In general, user agents’ cookie
support should have no fixed limits. They should strive to store as
many frequently-used cookies as possible. Furthermore, general-use
user agents should provide each of the following minimum capabilities
individually, although not necessarily simultaneously:
* at least 300 cookies
* at least 4096 bytes per cookie (as measured by the size of the
characters that comprise the cookie non-terminal in the syntax
description of the Set-Cookie header)
* at least 20 cookies per unique host or domain name
It also depends on browser what the default limits are. IE6 has the limit of 20 and then it overwrites the older ones.
Now, for safety - we can assume 20 cookies times 4k of data storage.
However, that has nothing to do with the means of storing the data and actual necessary amount of cookies.
What the OP can do is store encrypted values in the cookie or even GZIP the data and send it as plain text to the cookie. The thing is, the user CAN modify the data and there is no “best” way of storing it. There is only the best way of ensuring nothing can go wrong if the data in the cookie is corrupted. That best way depends on the underlying web app using the cookies.
Now, what I would like to know what was the ASP’s way of handling it and why the OP thinks it’s better. If ASP has certain means of ensuring nothing can go wrong if someone tampered with the cookie - I am 100% sure you can use the same method with PHP.
No, all your suggestions are flawed. And why would you use json_encode or decode? Do you realize how easy it is for humans to read json encoded strings? It’s much easier to read them and modify them than serialized data.
http_build_query and parse_str make absolutely no sense in this case either.
I think you’re either sleepy or need to go to read about things you’re talking about
What you just said makes as much sense as a wrench does to the Sun, it is absolutely ridiculous within the context of the topic.
If you read carefully, you’d notice that no one said a word about class methods, the question is what’s the best method of storing and retrieving data from a cookie.
But hey, if you’re up for the game of who’s right or wrong here - I kindly suggest getting educated first and then actually reading the topic rather than skimming trough it.
Yes it does. If the OP already has 19 other cookies then creating more than one cookie for the new data to be stored may result in other cookies being lost where placing all the data in the one cookie would ensure it still falls within the minimum that browsers are supposed to support.
The size of cookies may also impact on what format you can use to store the data in since if the way you encode it makes it overflow the 4k then you can’t use just the one cookie.
It does have nothing to do with the security of the information being stored though as no matter how you store the data in the cookie it is still able to be read by anyone with access to the computer and so could be copied to someone else’s computer so as to allow them to make use of the data in the cookie in the same way that you can. Anything that you want to be secure should be stored on the server and should only use a session cookie to reference it for as short a period as is practical so as to minimise the possibility of session hijacking.
You just shouldn’t talk about things you don’t understand and you should read what’s been written before spouting absolute nonsense.
Just to help you out here: if you serialize an OBJECT and if that OBJECT has __wakeup and __sleep methods, THEN unserializing that OBJECT will invoke __wakeup method that will get executed so any resources can be re-established and what not.
Now, does it seem to you that in this topic ANYONE said a single word about serializing or unserializing OBJECTS?
The topic is STORING data to cookies. It has nothing to actual classes and what not, the topic is the best means of saving data to a cookie and retrieving it.
A friendly tip - check what json_decode does. Anyone with a milligram of knowledge can spoof an application if it will use json_encoded data in the cookie.
Now, since we went offtopic and since you have severe issues with comprehension and reading - I will refrain myself from any form of further communication with you and I will hope that no one will give you any serious work apart from maybe applying css classes to static websites.
Look, as you pointed out anyone can alter a cookie.
It is untrusted, as in an exploiter can modify it.
By hacking it to a serialized form of an OBJECT to trigger an exploit when its unserialized.
Read the bug report I posted FFS, you will learn something.
Is it really that hard for you to understand that I wasn’t saying serialized data should be inserted into the cookie or are you just blunt?
I mean, what’s the point of having a discussion if you can’t understand simple things someone else is writing.
Also, you are talking about magic class methods, which work only with classes and objects. I know everything you wrote and linked up, but you are absolutely missing the context of the articles and context of this topic. Seriously, work on your comprehension, it is pointless to talk to someone who’s not even bothering to read simple sentences.
And all this “you will learn” talk coming from you is really… well pathetic, seeing you cannot even grasp what I was trying to say this whole time.
I just hope you won’t advise someone to json_encode the data and store it to a cookie, as it has the same holes as serialization does. Try to get educated before going into discussions like this.
So you do realize I never mentioned that serialize should be used? And you do realize that using json_encode and decode ALSO has security implications or it just can’t get to you?
Sorry, but that highlighted line is complete bunk, and imply that serialize()'ing data is somehow better than json/querystring. Which is plain wrong.
Storing cookies on a client machine has security implications regardless of serialization method. It’s just much worse using serialize()/unserialize().
It’s funny, 2011 years after the human race started measuring time and in the era where anyone is able to use some form of electronic device - we still have people who are simply so thick and you cannot reach them with words.
I’m done trying to explain that you’re arguing with yourself and that your methods are… well, awful. FYI I never implied anything, storing serialized data is terrible as is storing json_encoded data within a cookie. Using a querystring for reason known only to you is equally dumb. I’m done here, hopefully I will never have to communicate with you in any way.
I was hoping you’d explain the security implications of using json or query strings as cookie values, as I have done for using serialize()/unseralize(). But being as you haven’t I can only conclude that you don’t know.
