Jump to content


Photo

encrypting cookies....


  • Please log in to reply
5 replies to this topic

#1 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 11 August 2006 - 07:19 AM

right now on my website, if you have a cookie editor, you can edit the user_name cookie from any username, to any username and act like anyone! I need to know how I can encrypt it so the user won't be able to change it without it messing up the cookie entirely. but I need it so I can decrypt it so I can display the username, unless there is another way?

Please post back.

#2 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 11 August 2006 - 07:36 AM

there you go all you need ok.

http://www.phpmag.ne...nodeid,114.html
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#3 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 11 August 2006 - 08:23 AM

Well this is for forum software, so we cannot make it so they need to install something just to use it!

#4 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 11 August 2006 - 08:28 AM

You could use a reversable encryption method... That would almost as point less as no encryption though... 

Funny thing is, i discovered my ISP's webmail site had the flaw of encrypting a username in a cookie... But no password so someone could just make a md5 username put it in the right cookie and be in as someone else... Bout 3 days after i figured that out their webmail site changed :D

How does your login script and you script that creates the cookie work?
Why doesn't anyone ever say hi, hey, or whad up world?

#5 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 11 August 2006 - 08:55 AM

well right now i have it so on registration it creates a random number 1-9999999 and then md5's it. that is their loginkey, the cookie that is created, its content is userid-loginkey, so like '213-f761938942d1c06c9fb4b2d1644d147f'

Do you think this is secure enough?

#6 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 11 August 2006 - 09:26 AM

So their login key is pretty much a password your script generates right?  Anyways you could just make it md5 the entire userid-login key thing then just compare the userid-login key in the cookie or in a form in a login script to the database one...
Why doesn't anyone ever say hi, hey, or whad up world?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users