Secure Cookie Issue

transfield

Hello,
I'm using the following code to set a cookie. The code is working fine. However, I find that I can easily edit & manipulate the info in this cookie using a cookie editing software. Is there any way to create a more secure cookie?

My code is below:-

setcookie(michael, date("G:i - m/d/y"), time()+86400);

Thanks a lot for your advice.

MarkR

You can't stop the user editing a cookie on the client side. What you have to do is only use cookies to store things which aren't security critical.

When using cookies to store critical information, it is normal practice to either:
- Store a long unguessable ID instead which refers to a row in a DB or a file (which is what session does by default)
- OR cryptographically sign the data you wish to store in the cookie

Also, don't use barewords as literal strings, this generates a notice (which should of course be seen loudly) and will conflict with future PHP reserved words.

Mark

transfield

Thanks for your reply, Mark. I specifically want to prevent the user from editing the expiry date of the cookie. I noticed that Yahoo's cookies are almost impossible to edit because there are a whole lot of gibberish in it. I plan to create such a cookie.

- Store a long unguessable ID instead which refers to a row in a DB or a file (which is what session does by default)
- OR cryptographically sign the data you wish to store in the cookie

How do I do this?

I appreciate your guidance on this matter. Thanks once again.