|
|
cookie timepit Thursday, January 22 2009
I love PHP as a flexible and well-endowed server-side scripting language, despite its many faults and inconsistencies. But one such fault I cannot forgive is its implementation of cookies. Cookies are those little files on your computer that allow a website to identify you. They cause suspicion among the paranoid, but in their absence a website can't effectively interact with a user across multiple web pages. As a web developer, I never use sessions (a temporary set of states automatically maintained by the server) but I do sparingly use cookies, dropping a small encrypted identifier and then repeatedly (and transparently) authenticating off of it with every page. Today I did battle with an intractable problem involving PHP's handling of cookie scope. Cookies can apply to a server, to all subdomains of a server, or to just a directory on a server. It's that last variety of scope where PHP seems to be broken. As I set a cookie, I was careful to tell PHP to apply it to every directory, but no, when I went to check all the cookie variables I found they varied from one directory to the next. After hours of trying to accommodate PHP's notion of cookie scope, I finally gave up and used a series of behind-the-scene handoffs between pages to force my logins to happen in the highest directory level. I won't even go into the new vulnerabilities this introduced as usernames and encrypted passwords were passed around in query strings, but I had a deadline and I was tired of spinning my wheels. I've found that there is never a web development problem so complicated that I cannot fix it, though some problems have a way of devouring entire days.
For linking purposes this article's URL is: http://asecular.com/blog.php?090122 feedback previous | next |