are cookies secure??

j0sh

hello.

are cookies secure? i mean, can't they be faked somehow? if i need cookies for a security-system and in the cookie the name of the user is stored, can't somebody then create manually a cookie with the username in it?? if so, has anyone else a better idea of a security-system?
btw i searched a while in the forums, but didn't find an answer to this question...

gr33tz and thx

j0sh

planetsim

Sessions arent secure however they have an option for SSL. You should take at looking at sessions.

superwormy

To actually answer your question... no, cookies are not a secure place to put sensitive data. It is extremelly easy to spoof cookies.

If you're just storing a username in the cookie, and NOT ACTUALLY LOGGING THEM IN AUTOMATICALLY BASED ON THAT USERNAME ( you better not be, thats not secure at all ) then it shouldn't be a big deal, because they'll still need a password or something else to login and cause harm.

I assume you're trying to do either a login or a ' Remember my Login ' kinda thing. For a login, the cookie should simply store a random session ID. So when the login, generate a random session ID ( something based on microtime() is good, see rand() ) and store that in the cookie. Then each request they make, check the session ID against the database to see if its a valid session ID. It's good to time limit things as well, set the cookie to expire after an hour, and set a session_ID_expireTime field in the database too ( I assume you might be using one... if not use text files or something ) A remember my login thing is the same idea.

As far as sessions are concerned, people need to remember that sessions are propagated by cookies or through the URL. SSL session are simply SSL cookies, or an [url]HTTPS://[/url] SSL connection. Either of which can be done without the need for sessions.

j0sh

@ planetsim: thx.

@ superwormy: ok thx that really gives me an idea about doing this stuff better. 🙂 thx.

gr33tz @ both

j0sh