4

I was thinking of a system that will allow users to post only 1 article per 20 min. I don't use a member system so I thought I could set a cookie for 20 min. And when user posts something check if cookie is set if yes show message like "Only 1 post per 20 min allowed" if it is not set than put stuff in database.

I'm relatively new to php and don't know how to set cookies, I tried looking at php.net manual on cookies, but it was too confusing for me. So can you please show how to set a secure cookie for 20 min and check if it is or is not set. Maybe you have Better suggestions that will work instead of cookies etc.

Thank You.

Ilja
  • 44,142
  • 92
  • 275
  • 498

5 Answers5

16

See these functions:

To set a cookie for 20 min you can do this:

setcookie("postedArticle", true, time() + (60 * 20)); // 60 seconds ( 1 minute) * 20 = 20 minutes

Check if cookie is set:

if(isset($_COOKIE['postedArticle']) && $_COOKIE['postedArticle'] == true)
{ 
    // IS SET and has a true value
}
Niels
  • 48,601
  • 4
  • 62
  • 81
  • so to set it for 20 min I would use something like: setcookie("timeCookie", time()+20, "/", NULL, NULL, true); ? – Ilja Dec 21 '11 at 12:07
  • The time is in seconds so, you 1 minute = 60 seconds * 20 = 20 minutes, also the seconds param should be the cookie value, not the time. – Niels Dec 21 '11 at 12:08
  • Ok I see ))) so that if statement checks if cookie is set right? So after 20 min it will detect that no cookie is set so I can use else condition to do other stuff correct? – Ilja Dec 21 '11 at 12:11
  • Just one last question ))) is this correct than? setcookie("time", true, time()+ (60 * 20), "/", NULL, NULL, true); – Ilja Dec 21 '11 at 12:18
  • Y that is correct to set a cookie, the function `isset()` checks if the session is set, and the second part checks if the cookie is set to true. – Niels Dec 21 '11 at 12:30
  • Why time() + 60 * 20? Wont computer calculates 60 * 20 and than add time? – Marcelo Agimóvel Dec 06 '18 at 04:11
2

Using cookies for that purpose makes no sense.
If it's registered users you are talking about, you have to store such information on the server side.
But if it's anonymous users, you can't prevent them from posting every second. To clear cookies from the browser is a matter of pressing just one button.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • 1
    But yet, it adds some security as not everyone will clear their cookies, yeh is someone want's to spam website they are likely to do it... But this is better than nothing huh? – Ilja Dec 21 '11 at 12:52
  • 2
    "Better than nothing" rule seldom works in the information technologies world. Fair users wouldn't violate this rule even if there sill be no protection at all, just to respect your site rules. While spammers who use scripts to automate such posting, and against whom your protection is directed, I believe, will scarcely notice it. – Your Common Sense Dec 21 '11 at 12:56
1

As pointed out by others, cookie method to do this kind of job is useless. So encrypting is also a waste of resources here.

You should insert CAPTCHA validation if you want to prevent spams

For what you are trying to do here is the ready to use code.

I have included encryption of cookie values so anyone can't change the value of the cookie.

But still they can just delete the cookie which a normal user won't do if they see some encrypted values in them.

<?php
$cookiename="yourcookiename";
$mysalt="secret salt";
function encrypt($text, $salt) 
{ 
    return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $salt, $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)))); 
} 

function decrypt($text, $salt) 
{ 
    return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $salt, base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))); 
}

$read="false";
if(isset($_COOKIE[$cookiename]))
    {$read=decrypt($_COOKIE[$cookiename], $mysalt);
    }
if($read=='true')
{
//your stuff
setcookie($cookiename, encrypt("true", $mysalt), time()+20*60);
}
else {
//can't post
}

?>
PRYM
  • 513
  • 4
  • 12
  • @IlyaKnaup $mysalt is the key used to encrypt and decrypt, any random text, it should be known only to you or else anyone can decrypt the encrypted value. – PRYM Dec 21 '11 at 12:24
  • @IlyaKnaup yep.. make sure it is not a dictionary word though.. any random text – PRYM Dec 21 '11 at 12:26
  • 2
    I do not know if encryption adds anything here, since if you clear your browser history, also the cookies can be removed and people will be able to repost. – Niels Dec 21 '11 at 12:32
  • Uf instead of "true" value, can I set it to be a users Ip so it will check if $read = "users ip" and this will work even if user goes to different browsers? – Ilja Dec 21 '11 at 12:43
  • 1
    @Col.Shrapnel I agree with you but he wanted to know this that's why i gave him a method. – PRYM Dec 21 '11 at 12:46
  • @IlyaKnaup, you should use CAPTCHA to prevent spams as cookie method has lots of flaws, I have edited my answer too.. – PRYM Dec 21 '11 at 12:59
0

I know this is 8 years old but would like to add some things on of the problem of using cookies for your specific needs.

If you really want users to only post 20 mins then that best thing is to use Sessions, not cookies as cookies can easily be edited and people can just set their time to just 1 min or lower. So best thing to use is sessions. I know this answer is off-topic but just wanted to say some info on that, and I hope it helped in some way. I have included some documentation to Cookies and Sessions as well though, so if you or anyone needs some extra help.

Source: Stack Overflow

Documentation:

Jonathan J. Pecany
  • 324
  • 1
  • 14
0

set like

setcookie("TestCookie", $value, time()+1200);

check after 20 min if it will expire than it work else not..

Sonal Khunt
  • 1,876
  • 12
  • 20
  • value of your cookie.. means if you set cookie for username than 'username' is you lable and test123 is you username value – Sonal Khunt Dec 21 '11 at 12:18