NYCPHP Meetup

[Hans Zaunere]

--- betenoir at echonyc.com wrote:
> >
> >/** This begins to implement TCP style SYN/ACK seq behavior for session
> ids
> >**/
> >
> >  define('pACK', substr(microtime(),2,8).time());
> >  if( empty($_COOKIE['psyn']) )
> >     define('pSYN', 0);
> >  else
> >     define('pSYN', $_COOKIE['psyn']);
> >
> >  header('Set-Cookie: psyn='.pACK.'; domain=.'.PARASITE_DOMAIN.';path=/');
> >
> >I've also had better luck using header() and forming my Set-Cookie header
> >manually.  Hopefully I didn't confuse things,
> 
> In further testing we discovered that the problem is related to whether the
> "read cookie" page is called from its own window or from within a frameset
> at another domain. The former works, the latter doesn't.

I had a similar issue, albeit with the domains nyphp.org vs. www.nyphp.org. 
By the way Chris, that's a great resource (http://www.w3.org/P3P/).

> If I understand your code correctly:
> 
> 	pACK resolves to the cookie value and expiration?
> 	pSYN is the name of cookie?

pACK and pSYN are just timestamps, with pACK always containing the timestamp
of the request (which should always be unique).  Consider the browser
initializing a connection, and when it does, pSYN isn't set (a pseudo-syn
packet, named psyn as a cookie).  But from that point on, the server responds
(ACKs) with pACK, which is stored.  If the next pSYN doesn't match my stored
pACK in shared memory, we have a problem (hijack or something).  Basically,
just one-time session IDs.

> 	PARASITE_DOMAIN is a variable that holds the doman parameter?

It's a constant I define() elsewhere, and if I remember correctly, I couldn't
use anything like $_SERVER["HTTP_HOST"] because of issues with nyphp.com vs
www.nyphp.com.

> And you are "creating" a Set-Cookie header rather than simply writing to a
> cookie?

Well as Chris pointed out, you don't really write to a cookie; you just write
the Set-Cookie: HTTP header and I've always had better luck manually creating
it with header() than letting setcookie() do it.

H