본문 바로가기

Story/php

php setcookie 쿠키 모바일 mobile 에서 종료시간

반응형

php 에서 쿠키를 사용하기 위해  setcookie  함수를 사용한다.

 

bool setcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]]]] )

setcookie() defines a cookie to be sent along with the rest

 

보통 setcookie("쿠키이름","쿠키값"); 이런식으로 expire 부분을 안쓰면 기본 0 값이 적용되어서 브라우져를 닫으면 쿠키가 사라진다.

그런대 당연히 되리라 생각했던 이 방법이 모바일에선 쿠키가 원하는 시점에 사라지지 않았다.

php 사이트( http://kr1.php.net/setcookie )에서 메뉴얼을 보던중  다음과 같은 내용을 발견하였다.

 

Please note that setting the expiry to some timestamp in the past is a common way to get rid of a cookie. However, depending on the value you might set to "invalidate" a cookie immediately, this may pose a threat to the privacy of your user's data, especially when it comes to session cookies.

If you write "0" and "expire-in-the-past" into a session cookie, it remains on the client-side until the clean-up mechanism of the browser hits. (That might be anything from no-time to a very long time. I'm not even thinking of app-based mobile browsers that won't close properly or do their best to ignore standards and RFCs and stuff...)

So, if you have sufficiently messed up your ways of picking up existing session IDs and write-closing their data to your server, the session's data might move from file "sess_(random)" to "sess_0", because that is exactly the identifier that is referred in the cookie.

From now on (at least until your server decides to clean up) there is data laying open wide to anyone requesting the session "0". Which may happen by accident (i.e. another user gains an own "0"-cookie) or malice (i.e. forgery).

Long story short, ALWAYS use an empty string instead of a "0" value for invalidating a session cookie.

위 내용을 참조해서 setcookie("쿠키이름","쿠키값",0); 처럼 0 값을 정확하게 명시해 주니까 원하는 결과를 얻을 수 있었다. 

반응형