[Resolved] Cookie Question

bike5

Is it possible (if it is, how hard is it to) create a fake cookie to someones website.

As in, if my cookie saves a user name and the when the cookie is found it logs in that user by the cookies user name. I don't want anyone to be able to create a fake cookie file on their computer with my sites information and someones username and allow them to login. Does that make sense?

If that is possible what is a way around that to make cookies safer?

I was thinking maybe when the user logs in, it saves a cookie with a generated ID and saves the ID in the database then when the cookie is found is logs the user in based on the ID. That was even if someone could create a fake cookie they still wouldn't know the randonly generated ID used to access the users information. I think that would work but I don't wanna go through the extra trouble if the cookie is already safe?

planetsim

Faking a cookie is quite easy actually the majority of sites ive seen have set up there cookies really easy you could probably fake them extremely easily.

Yes they are easy to fake, its extremely hard to prevent however I also havent seen something that is 100% that will work.

To be honest anything that the client can see is not safe, Cookies arent safe they are saved in a file or files depending on the browser (firefox if i remember correctly saves all cookies to one file).

Id make sure that I could prevent it as much as possible. Things like storing the last visited time, storing this within the database, first active, userid. Also make sure you encrypt this, and do not store things like credit card numbers or passwords one site i attend i found out they stored the password i havent been to the site since.

bike5

Ok, I set a cookie id:

$cookie_id = md5(time().rand(1000000,9999999).microtime());

If the cookie is present I log the user in by matching up the cookie with the databases id for that person when they logged in and set the cookie.

Now if someone faked a cookie it would be pretty hard to match up a valid cookie id with a account in the database. If they had access the the original cookie (well they could login anyway so that doesn't matter).

Is there a neater or better way I could set up the cookie id to almost be 100% positive there wont be the same id set for more then one person. I figure the above should be random unqiue enough?

bike5

I have another problem. I always get this message while using firefox->

"Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookie that are blocked."

I have it set to allow cookies in firefox, how do I fix this?

if(isset($COOKIE['cookie_id']) || isset($SESSION['logged']))
header("Location: myaccount.php");

Weedpacket

Originally posted by bike5
Ok, I set a cookie id:

$cookie_id = md5(time().rand(1000000,9999999).microtime());

Using time() and microtime() together is pointless; if you've got microtime() you can work out what time() would be, so randomness insn't increased there. Using limits on rand() also reduces randomness by reducing the range of possible values it returns. MD5() doesn't increase randomness of course, just makes it harder to guess how the IDs are generated (leaving only the matter of guessing the current state of the RNG and the clock time), and ensures a consistent format. Finally, if you're going to use microtime() and rand(), you might as well just use uniqid().

bike5

Ok cool, I will use the uniqid().

Thanks planetsim & Weedpacket

rehfeld

as far as your infinite redirection loop, you need to set some type of flag that you have already redirected them, so you dont keep doing it over and over. otherwise users with cookies disabled will hate you.

header('Location: foo.php?redirect=1');

then just check for $_GET['redirect'] to make sure you dont keep redirecting them

bike5

rehfeld - Ya thanks, I actualy got that fixed just by finishing my script. I wassn't quite done so I guess I did have an infinite loop of redirects, OOPS! lol... All better now 😉