how to validating cookies?

[brem13]

does anyone know a way to validate cookies? i have a script written to check to make sure that that user is logged in and also to make sure that it matches that users secret answer in the database, but when i use firefox's 'tamper data' add-on, and i change the cookie to someone elses username, it still allows access... here is my code...

 

<?php
$username = $_COOKIE['loggedin'];
$sec = $_COOKIE['loggedin1'];
include("config.php");
mysql_connect($server, $db_user, $db_pass) or die (mysql_error()); 
$result = mysql_db_query($database, "select * from $table WHERE username = '$username' AND secureques = '$sec'") or die (mysql_error()); 

   while ($qry = mysql_fetch_array($result)) { 
      $userdata = $qry[username];
      $secdata = $qry[secureans];
      
      if($secdata != $sec)
      {
      echo 'You are not logged in <a href=../../../../../../../../main.php>Click Here</a> to login';
      }
   } 

?> 

[corbin]

$qry[username];

 

 

Should be $qry['username'];

 

 

Unless username is a constant.

 

 

 

Anyway, cookies should really only be used for a "Remember Me" feature and user state should not depend on them (although sessions rely on cookies, ironically enough).

 

 

So, you should store a username and password in a cookie, not just a username (although you're kind of doing that with the secret question).  Also, since cookies can be altered, you should hash the password while it's in the cookie.

 

(Are you using a secret question as a password?  If so, ignore that password part.)

[brem13]

well, i was gonna use the password(which is md5'd btw) but i figured the secure answer would suffice till i get it to work, and it does, except when somone uses the firefox tamper data addon. i even echoed out the variables and they showed what they were supposed to be, but when i do the tamper data, it doesnt echo them out, its like it doesnt see them and therefore doesnt check it