cookie tampering?

marsil

Hello,

I have a voting php script that should work like this:

the user clicks to vote
if it is the first time, the script sends a cookie to the user. The cookie value is a ramdomly generated 10 digit user number.
This number is also written in a mysql table.
when the user tries to vote again, the script checks the cookie value against the number in the database. If the number exists, voting is allowed.

I use the following code to validate the cookie value. I thought it would prevent cookie tampering, by limiting the cookie value length to 10 digits and by allowing only numbers. However, someone has been able to voting by entering any kind of numbers, even 20 digit numbers! I dont know how he is doing this, it seems he is able to pass the validation, writing directly into the database, but I am not sure. Could anybody help me please?

/ when the user tries to vote for the first time, this creates the cookie:/
$usernumber=mt_rand(1000000000,9999999999);
setcookie($cookiename,$usernumber,time()+31536000);

/ the $usernumber is also written into the database /

/ Then, when the user comes back later to vote, this script gets the cookie value and validates it. /

$value=$_COOKIE['cookiename'];
$valuetrim=trim($value); // TRIM SPACES
$value=substr($valuetrim, 0, 10); / THIS LIMITS THE COOKIE VALUE LENGTH TO 10 DIGITS /

$numberofcharacters=strlen($value); / GETS THE NUMBER OF CARACTERS FROM COOKIE VALUE /

$i=0;
while ($i < $numberofcharacters)
{
$eachcharacter=substr($value,$i,1); / THIS GETS EACH CHARACTER FROM COOKIE VALUE STRING /

switch ($eachcharacter) { / CHECKS EACH CHARACTER /
case "1" : $validcookie=1;
break;
case "2" : $validcookie=1;
break;
case "3" : $validcookie=1;
break;
case "4" : $validcookie=1;
break;
case "5" : $validcookie=1;
break;
case "6" : $validcookie=1;
break;
case "7" : $validcookie=1;
break;
case "8" : $validcookie=1;
break;
case "9" : $validcookie=1;
break;
case "0" : $validcookie=1;
break;
default : $validcookie=0;
$i=$numberofcharacters; // THIS KILLS THE LOOP IF THERE IS ANY INVALID CHARACTER
break;
}
++$i;
}

if ($numberofcharacters!=10) / IF COOKIE VALUE LENGTH IS NOT 10, COOKIE IS INVALID/
{
$validcookie=0;
}

if ($validcookie==1)
{ // VOTING IS ALLOWED. VOTE IS WRITTEN IN THE DATABASE }
if ($validcookie==0)
{ // VOTING NOT ALLOWED}

/ After this validation, I check the cookie $value against the number stored previously in the MySql database. If there is a match, voting is allowed. /

/* By the way, there are only 5 form fields in the site, and I validated all of them in the same way I did with the cookie validation above. For example, there is a Name form field where I allowed only letters, and a phone number field where I allowed only numbers and ( ) -, and so on.

Thanks a lot for any help.

Marcelo
*/

bpat1434

$i=0;
while ($i < $numberofcharacters)
{
$eachcharacter=substr($value,$i,1); / THIS GETS EACH CHARACTER FROM COOKIE VALUE STRING /

switch ($eachcharacter) { / CHECKS EACH CHARACTER /
case "1" : $validcookie=1;
break;
case "2" : $validcookie=1;
break;
case "3" : $validcookie=1;
break;
case "4" : $validcookie=1;
break;
case "5" : $validcookie=1;
break;
case "6" : $validcookie=1;
break;
case "7" : $validcookie=1;
break;
case "8" : $validcookie=1;
break;
case "9" : $validcookie=1;
break;
case "0" : $validcookie=1;
break;
default : $validcookie=0;
$i=$numberofcharacters; // THIS KILLS THE LOOP IF THERE IS ANY INVALID CHARACTER
break;
}
++$i;
}

That can be reduced to:

if(!is_numeric($value)){
// Kill script 
}

I do have a question for you:
A user votes once, the info is written to the database. That same user comes back, the cookie is checked. The user votes again, and is allowed to vote? WHy? How would you then get new users? How would you limit them from voting more than 1 time? I honestly think you wanted to use the cookie to record that they've voted, then you check to see if the cookie number is in the database, and if so, disallow them to vote, so they're entitled to one vote.

There is an inherent flaw in your system. If/when enough people use your system, some numbers will be repeated. One way aroudn this is to "salt" or incorporate the IP address with that 10 digit number. and IP is 4 sub-sections of numbers, you coudl split the 10 digit number into 4 sections, and combine them in some way:

My random 10-digit number: 1839128572
My IP address: 192.168.1.1
My new "unique" number: 192183168912185721

THat becomes at least a 14-digit and at most 23-digit number. Tougher to hack, and more unique so you don't accidentally disallow a visitor to vote when they haven't voted.

marsil

Hello,

thanks for your reply. Sorry if I was not clear when I explained how the voting system should work. The site allows only one vote each day. The same computer can be used to vote many times, as long as it is done in different days.

The cookie is used to store a number that identifies the user as a valid voter. When the user votes for the first time, that counts as registration only. The cookie is created, the number is written into the database, as well as the current date. If he tries to vote again on the same day, I check the number and the date. If both match, voting is not allowed.

The votes start counting only on the next day after the cookie is created. That prevents the user from deleting the cookie, voting, than deleting the cookie again, voting again...

Thanks for the !is_numeric($value) solution. It is great. It is nice also the idea of blending the IP with the ramdom number.

Marcelo

laserlight

For the random cookie value:
It may be better to take a SHA1 hash (e.g. with [man]sha1/man ) of a pseudo-random number (use the maximum range) concatenated with the IP address. Then to check for a valid cookie value, test that strlen() returns 40 and that [man]ctype_xdigit/man returns true.

marsil

Thanks a lot for your help! There is one thing that I don't understand yet. If my cookie value is for example $value=1234567890 and I have the following code:

$num=strlen($value);

if ($num!=10)
{
// INVALID COOKIE: KILL THE APPLICATION
}

How could someone still enter a 20-digit number and get his vote approved?? Is my if clause wrong? When I test it in my computer it works fine, so I really don't know what to do.

I am not sure if this helps at all, but here is the cookie that is installed in the user computer:

293003488109013047
1364467740
localhost/
1024
634378624
29843731
2910554720
29770305
*
The cookie was set with setcookie($cookiename,$usernumber,time()+31536000);
The cookie name is "293003488109013047" and the user ramdom number is 1364467740.

Thanks again,

Marcelo

bpat1434

Well, that's fine. But your previous logic doesn't work:

$value=substr($valuetrim, 0, 10); /* THIS LIMITS THE COOKIE VALUE LENGTH TO 10 DIGITS */

If I have a 20 digit code, it becomes 10 anyway... and they set the cookie with the 20 digit code (or however long you want it) and you trim it, then it'll always validate.....