Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Session does not work if Cookies are disabled


Reply


5 Posts   2387 Views

Avatar
spierala

Community Member, 80 Posts

10 November 2011 at 7:15am

Edited: 10/11/2011 8:31am

Hello all,
I coded a little counter (an internal i-like).
To prevent users form liking 100 times in a row, I check with the Session Class of Silverstripe if that page was already liked:

public function countUp(){
   if(Session::get('liked-' . $this->ID) == false){
      Session::set('liked-' . $this->ID, 'true');
      $this->Counter = $this->Counter+1;
      $this->writeToStage('Stage');
      $this->publish("Stage", "Live");
   }
}

that blocking works so far, but users who disable their cookies can like unlimited :(
I do not understand why Silverstripe Session does rely on cookies to work.
florian

Avatar
MarcusDalgren

Community Member, 288 Posts

10 November 2011 at 9:35am

Checking the session is a really short term solution anyway since the session only lasts for as long as the browser window is open. Just closing it and opening the browser again will give you a new session and you can vote again. Generally session through cookies is the norm since session through GET variables is considered insecure AFAIK.

Cookies is really your only option if you want to make a long term check unless you want to log ip addresses but since some people have dynamic ip that doesn't really work either.

Avatar
spierala

Community Member, 80 Posts

10 November 2011 at 11:35pm

hey smurkas,
thank you for your answer.
so that really means silverstripe session does only work with cookies enabled right? :)

maybe i could write all the ips that voted to the database and block them for a few minutes.

cheers,
florian

Avatar
Devlin

Community Member, 222 Posts

11 November 2011 at 3:00am

Edited: 11/11/2011 3:37am

so that really means silverstripe session does only work with cookies enabled right?

http://php.net/manual/en/session.configuration.php

maybe i could write all the ips that voted to the database and block them for a few minutes.

Please consider that a lot of people share one IP address, that there are easy changeable dynamic IPs, proxies, etc.

Avatar
spierala

Community Member, 80 Posts

11 November 2011 at 4:35am

Edited: 11/11/2011 4:38am

hey devlin,
I just coded the ip-block for re-votes via ip tracking in the database . I just block ip´s that are younger than 10 minutes. That is combined with the session check and a cookie.
It´s not a big problem if someone finds a way to vote twice by changing ip or disable cookies.

I just want to prevent someone clicking 20 times in 2 seconds.
I would do that to check if it´s a proper counter :)

here is my final code:

public function countUp(){
   if(!isset($_COOKIE['liked-' . $this->ID]) && Session::get('liked-' . $this->ID) == false){
      Session::set('liked-' . $this->ID, 'true');
      setcookie('liked-'.$this->ID, time(), time()+3600*24*365, '/');
      if($this->checkIpVoted()==false){
         $vote = new ILikeVote();
         $vote->Timestamp = time();
         $vote->VotedPageID = $this->ID;
         $vote->IP = $_SERVER['REMOTE_ADDR'];
         $vote->write(); //write to d
         //increment the counter of the page
         $this->Counter = $this->Counter+1;
         $this->writeToStage('Stage');
         $this->publish("Stage", "Live");
      }
   }
}

private function checkIpVoted(){
   $ret = false;
   $time = time();
   $timeLimit = $time - 600;
   $vote = DataObject::get_one(
      $obj = "ILikeVote",
   $filter = "IP = '{$_SERVER["REMOTE_ADDR"]}' AND VotedPageID = {$this->ID} AND Timestamp > {$timeLimit}"
   );
   if($vote){
      $ret = true;
   }
   //get old votes and delete them
   $oldVotes = DataObject::get(
      $obj = "ILikeVote",
   $filter = "IP = '{$_SERVER["REMOTE_ADDR"]}' AND VotedPageID = {$this->ID} AND Timestamp < {$timeLimit}"
   );
   if($oldVotes){ //delete old votes of that ip (older than 10min)
      foreach($oldVotes as $vote){
         $vote->delete();
      }
   }
   return $ret;
}