PHP Function Session_Get_Cookie_Params

PHP has many functions that help in the workflow of your application. php function session_get_cookie_params is one of those functions, which is used to get cookie parameters from a cookie. Its arguments are passed in the same way as they are for other php functions. You can pass as many arguments as you want but make sure they are in parenthesis.

Session Cookies are great, they enable websites to save variables on a remote client’s computer and to retrieve them for subsequent requests without the need of having the client open the browser again. That can be really handy for a lot of things like storing shopping cart data or boolean values telling whether valid authentication credentials have been provided by the client.

However, there are some risks with Sessions that can be quite significant depending on the kind of applications you use them for. These include the possibility of Cookie Hijacking and Storage Leakage.

The first of these risks is that Session Cookies can be hijacked and used maliciously to access private content on your website. This can be done by sniffing the network (if the HTTPS protocol is not used), by getting remote or physical access to the client’s computer or by exploiting a web browser security flaw.

Luckily, there are some configuration options in PHP that can be enabled to improve the security of Session Cookies. I suggest enabling session.use_strict_mode and, if your applications are going to be used over HTTPS, session.cookie_secure. These two options should easily help in reducing the chances of these attacks happening.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

session_get_cookie_params example


            $cookie = SessionUtils::popSessionCookie($this->sessionName, $sessionId);

            /* * We send an invalidation Set-Cookie header (zero lifetime) * when either the session was started or a cookie with * the session name was sent by the client (in which case * we know it's invalid as a valid session cookie would've * started the session). */
            if (null === $cookie || isset($_COOKIE[$this->sessionName])) {
                $params = session_get_cookie_params();
                unset($params['lifetime']);
                setcookie($this->sessionName, '', $params);
            }
        }

        return $this->newSessionId === $sessionId || $this->doDestroy($sessionId);
    }
}
    // destroying the current session creates a new ID; Drupal has historically     // decided to only set sessions when absolutely necessary (e.g., to increase     // anonymous user cache hit rates) and as such we cannot use the Symfony     // convenience method here.     session_destroy();

    // Unset the session cookies.     $session_name = $this->getName();
    $cookies = $this->requestStack->getCurrentRequest()->cookies;
    // setcookie() can only be called when headers are not yet sent.     if ($cookies->has($session_name) && !headers_sent()) {
      $params = session_get_cookie_params();
      setcookie($session_name, '', REQUEST_TIME - 3600, $params['path']$params['domain']$params['secure']$params['httponly']);
      $cookies->remove($session_name);
    }
  }

  /** * {@inheritdoc} */
  public function setWriteSafeHandler(WriteSafeSessionHandlerInterface $handler) {
    $this->writeSafeHandler = $handler;
  }

  


    /** * Gets the session object. */
    abstract protected function getSession(): ?SessionInterface;

    private function getSessionOptions(array $sessionOptions): array
    {
        $mergedSessionOptions = [];

        foreach (session_get_cookie_params() as $key => $value) {
            $mergedSessionOptions['cookie_'.$key] = $value;
        }

        foreach ($sessionOptions as $key => $value) {
            // do the same logic as in the NativeSessionStorage             if ('cookie_secure' === $key && 'auto' === $value) {
                continue;
            }
            $mergedSessionOptions[$key] = $value;
        }

        


    /** * Gets the session object. */
    abstract protected function getSession(): ?SessionInterface;

    private function getSessionOptions(array $sessionOptions): array
    {
        $mergedSessionOptions = [];

        foreach (session_get_cookie_params() as $key => $value) {
            $mergedSessionOptions['cookie_'.$key] = $value;
        }

        foreach ($sessionOptions as $key => $value) {
            // do the same logic as in the NativeSessionStorage             if ('cookie_secure' === $key && 'auto' === $value) {
                continue;
            }
            $mergedSessionOptions[$key] = $value;
        }

        

        $options = [
            'cookie_lifetime' => 123456,
            'cookie_path' => '/my/cookie/path',
            'cookie_domain' => 'symfony.example.com',
            'cookie_secure' => true,
            'cookie_httponly' => false,
            'cookie_samesite' => 'lax',
        ];

        $this->getStorage($options);
        $temp = session_get_cookie_params();
        $gco = [];

        foreach ($temp as $key => $value) {
            $gco['cookie_'.$key] = $value;
        }

        $this->assertEquals($options$gco);
    }

    public function testSessionOptions()
    {
        

            $cookie = SessionUtils::popSessionCookie($this->sessionName, $sessionId);

            /* * We send an invalidation Set-Cookie header (zero lifetime) * when either the session was started or a cookie with * the session name was sent by the client (in which case * we know it's invalid as a valid session cookie would've * started the session). */
            if (null === $cookie || isset($_COOKIE[$this->sessionName])) {
                $params = session_get_cookie_params();
                unset($params['lifetime']);
                setcookie($this->sessionName, '', $params);
            }
        }

        return $this->newSessionId === $sessionId || $this->doDestroy($sessionId);
    }
}
Home | Imprint | This part of the site doesn't use cookies.