Semi-Philosophical Questions about Cookies

sois

Maybe there are some actual reasoning for this stuff, but as of now, I don't have a clue.

My questions are: What kind of data is safe to store in cookies? If I store stuff like passwords and user ID's in cookies, what are safe ways to use the data?

I've created a simple login script where I store the PHPSESSID. Is it safe to use that SESSID to query the DB for user information? What if someone copies the cookie and moves it to another computer?

Thanks all for any input.

pcthug

As long as you encrypt any sensitive data, your cookie should be resonably secure. Try this example, it does not require database interaction as validation is done with pure PHP.

// set cookie
$salt = 'NHx39sjHde';
$time = time(); 
$hash = sha1($salt . $username . $time); 
setcookie('userdata', base64_encode("$hash-$username-$time"), time()+3600);

// retrieve cookie
$salt = 'NHx39sjHde';

if (isset($_COOKIE['userdata']))
{
   $args = explode(base64_decode($_COOKIE['userdata']));

   if (sha1($salt . $args[1] . $args[2]) == $args[0])
   {
      // authentic user
      $username = $arg[1];
   }
   else
   {
      // remove bad cookie
      setcookie('userdata', false, time()-3600);
}

Weedpacket

http://www.phpbuilder.com/board/showthread.php?t=10334033&highlight=cookie+security
http://www.phpbuilder.com/board/showthread.php?t=10333475&highlight=cookie+security
http://www.phpbuilder.com/board/showthread.php?t=10333323&highlight=cookie+security

sois wrote:
What if someone copies the cookie and moves it to another computer?

[man]session[/man]
Sessions and security

External links: Session fixation

The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.