Timeout data located in local cookies

can anyone tell me how to modify a timeout for a web app when logged in? Here are the known specs:

=> there is no session hash in the URL when logging in.
=> default timeout for no transacting activity is 5 minutes.

I really have no way to know if the timeout is located in the local cookie or stored in the web app [session] itself. It’s a large PHP application that I’m referring to. and before anyone asks, no it’s not a hacking attempt. This is simply an attempt by me to stop this little annoyance. I realize that a lot of people do this sort of thing for security reasons. Also, every transaction on the website (moving from page to page, clicking buttons) results in more than one file with a hash-based name being put in firefox’s cache.

Thanks.

Adam

Just create a timestamp when the user logs in. Usually in the user’s table. Call it something like
“last_accessed” or whatever. Then, check it when the user does something, if they have been idle
for 5 minutes, force them to log back in. 5 minutes sounds short, but, that is your choice.

I don’t think you understood what I want Ernie. I am the user in this case. I am getting annoyed with organizational security and I want to change their nonsense so I don’t have to waste time complying with their web app’s protocols. follow? =)

If the app is properly designed, there is nothing you can do.

I figured that, ben. however, would it be worth my time to look at the hash-named files and see what is in them? can you confirm for me if timeout data is EVER stored in files like that? and this is forum software, so more than likely it isn’t THAT good.

So you want to alter data in a cookie for a server? That is almost impossible. First, you have to know exactly what they stored in it. ( Not too hard to do. ) Then, you would have to alter their server side code that uses the data. ( Mostly impossible. ) Normally in a cookie is a just a pointer to data saved on the server. So, changing the cookie does not change the 5 minute limit. It most likely kept in the user table on their server and you do not have access to that.

well that’s fine Ernie. I just wanted to know what this was all about from an expert like yourself so I know what I can do or what I can’t do. and that post by you has pretty much told me what I need to know. but tell me this if you will…

is timeout data EVER stored in a cookie file directly, or is it almost just a pointer type of identifier, as you have mentioned, that the server code looks at everytime you transact on a site, regardless of the page you’re on?

and if there IS indeed a pointer of somekind inside of the cookie, can you give me an example of what such a pointer (or the code that serves that purpose) would look like inside the file? (just out of curiosity. I really don’t have time to look into it)

Well, this is based 100% on the programmer. Yes, you can store a time limit inside a cookie, but, it is not a very secure way to handle it. Therefore, a good programmer would not do that. If a programmer did not know what he was doing, they could store insecure data inside a cookie since it is a small data storage.
You can store up to 4k of data in a cookie. Cookies can have an expiry date/time stored in it so it sort of self-destructs after a period of time. The is not the same as a time-out. Cookies can be left on your computer and used the next time you log into the site. Again, as I mentioned before it is usually done with records kept on the server and using the cookie to point at your information. Normally you still need to enter your password. This protects the server from hacking.
Here is a site that explains cookies a bit further. It might help you: PHP-Cookies

Oh, forgot about pointers… Often a programmer will create a GUID and use that for a pointer. It would be saved in a user table and be valid only for a limited time, let’s say 30 days. Some programmers might save the user ID that is in the user table. That is not considered secure, but, I have seen it done. It can be different on different sites. It really depends on how secure the programmer wanted it to be.
Hackers do look at cookies on sites to see if it stored any important data. That is why most programmers are very careful what is stored there.

all good stuff Ernie. thanks so much. the website I’m talking about in this thread is an internet forum. and most forums use free software, so obviously it is not paid for. thus, the chance that it is 100% secure is not likely, but I’m sure most of it is well written so that I can not accomplish this goal. and that’s fine. I don’t need to. this whole thing is my desire to get rid of annoyances that accompany people who write software and have to sell it to others who need to make money too. check out this post I made on Apple’s forum, which asks them how to eliminate similar annoyances about an iPhone that I own (of course, as expected, no one ever responded to this post):

apple_paranoia1920×1080 354 KB

Hee! I have the same problem with my phone. The only easy way to stop all that is to not have a key on it. But, I have to have it cuz my buddies keep trying to send junk to a lady friend of mine. Ha! But, I get what you are thinking…

You can look at the profile setup on that forum and see if there are any options for the timeouts. But, I am sure you can’t fix this using cookies…

One further thought… You can view the cookies and session info by using the debugger console.
On Firefox, right click on the website and select inspect then select storage.
On Chrome, it is trickier, you need to go to settings, then advanced settings and then in the cookie area, select view and then you can look at them.

Just in case you want to see what that site is doing…