Security/Cookies

pkh84

Hello,

When a user loggs in to my site, a cookie is sent to that user. As long as this cookie is valid, the user has access to the site. My questions are:
1. What should the cookie contain? Should the cookie-contents be encrypted?
2. Is it possible for a user to make a fake cookie on its computer and get access to the site without having a username/password.

Thanks,

-Petter-

roel_v

A unique identifier (a md5 hash of a string concat of the persons ip address, a timestamp and a few characters rand() is enough) is all you need in the cookie. The content doesn't have to be encrypted this way. Users can make cookies of their own ofcourse, but on each pageview you have to check in a list of cookies that you keep on your server if this user is still logged in. It all depends on what you plan to put into your cookie, it's not a good idea to store let's say item prices or the content of a shopping cart with prices >😉 You're probably better off using sessions though.

Anon

Look i don't know about the faking cookie but generally (forgive me for my spelling mistakes) you should put a user name and a password or an encryped number on the cookie so you could confirm the user as your friend for example...

Small Example:

SEND:
$user="Your_wanted_user_name";
$pass="Your_wanted_password";
setcookie("cookie_name",$user."/".$pass,time()+360);

GET&CHECK:

list($usercheck,$passcheck)=split("/",$cookie_name);
if (($usercheck==$user)&&($passcheck==$pass))
{
echo "hello my friend";
}
else
{
echo "you are not welcome here!";
}

I that answer your question if not leave me here another message and i'll try to help...

-Oren-

Anon

Maybe it's me being paranoid but I would never store anyone's password in plain text. On a shared machine someone could dig through your cookies and pull interesting information out of them.

pkh84

Hello,

I was thinking of placing the user's username in the cookie. Is this dangerous? I use the rpm-version of PHP and I don't have the encryption libraries installed. Do you know from where I can get them?

I'll take a look at sessions, too.

roel_v

The username is fine, but don't store a password in there like someone else suggested; there are so many vulnerabilities in browser nowadays that let everyone read out all cookies. I think the md5() function is in the default php install, encryption with mcrypt isn't, but you probably don't need it anyway. Search on google for libmcrypt if you want them anyway. But, 9 times out of 10 cookies are used to make some form of session, and this is a lot easier by using the php session functions. (which use cookies too, depending on your configuration, but transparantly for the programmer).

pkh84

Thanks for your fast reply.

Are there anything special I should have in mind if I use the session functions?

I'll check the hash functions.

-Petter-

Anon

You are right but...
i sayd it's just an EXAMPLE

i just wanted him to understand the path of thinking...

-Oren-

roel_v

Not really, as usual, just RTFM :-)

pkh84

OK, I'm using cookies now. Much easier!
Thanks for your help,

-Petter-

pkh84

Wops! Sorry, I ment sessions...