Press "Enter" to skip to content

Tag: cookies

PHP: Zend Framework, MVC, Cookies and 4096 byte oddities

A little word of warning which has puzzled me for over 3 hours in debugging…

If you use Zend_Controller_Front::getInstance()->dispatch(); in your Zend Framework index.php file for firing off the MVC system, and the returned page is over 4096 bytes (4 kilobytes) in size you cannot set a cookie afterwards without causing the “fun” error “Cannot modify header information – headers already sent by (output started at …/library/Zend/Controller/Response/Abstract.php:546) in …”

To work around this, you’ll need to change the code from just:

Zend_Controller_Front::getInstance()->dispatch();
setcookie(. . .);

to:

$front=Zend_Controller_Front::getInstance();
$front->returnResponse(true);
$response=$front->dispatch();
#Zend_Controller_Front::getInstance()->dispatch();
setcookie(. . .);
$response->sendResponse();

I’m sure there is a slightly better way of setting Cookies in the Zend Framework, but that’s a work around for the normal way I’ve found.

If you’ve got any “better idea” suggestions, just let me know.

(I found this “buglet” because a drop down select menu I was making with Zend Form Element was causing the “Cannot modify header information – headers already sent by” error once a number of items were listed: it took 3 hours+ of detection work to narrow it down to a content size issue, then it was a process of elimination ruling out Zend_Form_Element, Zend_Form, Zend_View and Zend_View_Abstract (which helped a bit with the debugging on the issue) and then to Zend_Controller_Front to Zend_Controller_Response_Http and finally to Zend_Controller_Response_Abstract)

Coding: Password Security in Cookies

Via boren.nu, I came across a nice detailed section on how to create a secure cookie and password system (which will be implemented in WordPress 2.4):

Cookies will be based on the secure cookie protocol described here. The cookie is structured like so:

user name|expiration time|HMAC( user name|expiration time, k)
where k = HMAC(user name|expiration time, sk)
and where sk is a secret key

The new cookie protocol will allow us to enforce expirations server-side, mass invalidate all cookies, and offer high-level confidentiality. Read the Liu paper for details on the protocol… …In conjunction with the new cookies, password hashing will be improved by moving to phpass. phpass provides password stretching and salting. These make brute-forcing your password hashes impractical should someone get access to your database.