maintaining state without a cookie
Asked Answered
D

6

6

I am trying to figure the workings of an IPB forum.

If I tick remember me, then I will remain logged in even if I close the browser and reopen it.

I am trying to workout how this is possible, as the only cookies that are set by the server expire at the end of the session, i.e. when I close my browser. So how does the server no how to resume the session, without using cookies?

edit: The session id cookie is set to expire at the end of the session, and I have my browser set to delete cookies at the end of the session.

This means when I close my browser(the session ends), the cookie should be deleted.

During the time my browser is closed, if I open up the same site in a different browser, surely the session should be resumed? This does not happen however.

Instead, if I open up my original browser, the session resumes.

The only other cookie set is a cookie called pass_hash, which expires as soon as it is created, and is sent by the server everytime a page is loaded. SO it would not be being used for authentication.

Dalrymple answered 3/8, 2009 at 1:49 Comment(0)
R
3

A sneaky alternative to cookies is the last-modified timestamp in an image or other object. The server can give you an image setting the timestamp to a value that identifies your session. When you load another page the browser sends an if-modified-since timestamp and gives you away.

Reube answered 3/8, 2009 at 3:26 Comment(0)
C
3

Use browser localStorage object. Example:

localStorage.setItem("lastname", "Smith");
var name = localStorage.getItem("lastname");
Cerography answered 25/4, 2012 at 14:47 Comment(0)
A
1

Normally cookies last after you close the browser. If you are using PHP, check out set_cookie's options, or if you are using sessions, check out the session area.

// Set Cookie
setcookie($name, $value, $expire) 
// $expire is the time in seconds since Unix Epoch (see [time()][3]) it will stay alive
// Session
session_set_cookie_params($lifetime) 
// $lifetime is the seconds it will stay alive in seconds
Awash answered 3/8, 2009 at 1:52 Comment(0)
G
1

The session information isn't necessarily destroyed when the browser window is closed. In PHP, for example, you can choose to save session information in a database and you could persist that after the browser is closed and the original session is ended.

Another way I can think of is setting a flag on the Users table stating that the user is still logged in. Perhaps the table has a field called logged_in and you can set that to true. After a certain amount of time [ie, you don't come back] it would be reset back to false.

Guffey answered 3/8, 2009 at 1:57 Comment(5)
If the browser window closes though, and the session cookie is set to expire at the end of the session, and the cookie is deleted when I close my browser(end the session), does this mean if I open up the site in a different browser the session should be resumed? if not, why not?Samy
That may be how it works. They could store the session along with your IP address and the time which you logged in. When you come back, they can check your IP, match it with a username and the time from last login (NOTE: if greater than 1 hour, login required). You would however have to delete these field values when the user logs out.Freida
The why does the session not resume in a different browser?Samy
The browser information could also be stored along with all the other information. Maybe you could contact IPB forum and find out how they store your 'Remember Me' details.Freida
Unfortunately I can't seek support from IPB. I don't think the browser information is being used though, as I used a different copy of the same browser. It must be some kind of storage.Samy
T
1

There are a few places to hide session information other than cookies.

a session key in the URL (http://example.com/app/234348738790/main)

a session key as a GET variable ( ?sess=257892345 )

a session key as a POST variable (input type='hidden')

store it in local storage in the browser

use javascript with any of the above to communicate the session info back to the server.

Truce answered 3/8, 2009 at 3:10 Comment(1)
The problem I have in understanding how IPB is working, is that none of these methods are working. Unless it is some custom hidden javascript storing state separately...Samy
M
0

It sounds to me like you just missed a cookie (or misread/misunderstood when it expires), but the alternate possibility might be that it's keeping the remote address stored in the DB and automatically creating a new session for it for the second visit. However, this would be a rather poor solution both security-wise and due to NATs, et cetera - so I doubt that's what IPB does.

Morita answered 3/8, 2009 at 1:52 Comment(1)
I have not missed any cookies...I have been monitoring them as they are created and checking their expiration dates to try and understand.Samy

© 2022 - 2024 — McMap. All rights reserved.