localhost Posted August 11, 2006 Share Posted August 11, 2006 right now on my website, if you have a cookie editor, you can edit the user_name cookie from any username, to any username and act like anyone! I need to know how I can encrypt it so the user won't be able to change it without it messing up the cookie entirely. but I need it so I can decrypt it so I can display the username, unless there is another way?Please post back. Link to comment https://forums.phpfreaks.com/topic/17216-encrypting-cookies/ Share on other sites More sharing options...
redarrow Posted August 11, 2006 Share Posted August 11, 2006 there you go all you need ok.http://www.phpmag.net/itr/online_artikel/psecom,id,667,nodeid,114.html Link to comment https://forums.phpfreaks.com/topic/17216-encrypting-cookies/#findComment-72900 Share on other sites More sharing options...
localhost Posted August 11, 2006 Author Share Posted August 11, 2006 Well this is for forum software, so we cannot make it so they need to install something just to use it! Link to comment https://forums.phpfreaks.com/topic/17216-encrypting-cookies/#findComment-72921 Share on other sites More sharing options...
corbin Posted August 11, 2006 Share Posted August 11, 2006 You could use a reversable encryption method... That would almost as point less as no encryption though... Funny thing is, i discovered my ISP's webmail site had the flaw of encrypting a username in a cookie... But no password so someone could just make a md5 username put it in the right cookie and be in as someone else... Bout 3 days after i figured that out their webmail site changed :DHow does your login script and you script that creates the cookie work? Link to comment https://forums.phpfreaks.com/topic/17216-encrypting-cookies/#findComment-72925 Share on other sites More sharing options...
localhost Posted August 11, 2006 Author Share Posted August 11, 2006 well right now i have it so on registration it creates a random number 1-9999999 and then md5's it. that is their loginkey, the cookie that is created, its content is userid-loginkey, so like '213-f761938942d1c06c9fb4b2d1644d147f'Do you think this is secure enough? Link to comment https://forums.phpfreaks.com/topic/17216-encrypting-cookies/#findComment-72941 Share on other sites More sharing options...
corbin Posted August 11, 2006 Share Posted August 11, 2006 So their login key is pretty much a password your script generates right? Anyways you could just make it md5 the entire userid-login key thing then just compare the userid-login key in the cookie or in a form in a login script to the database one... Link to comment https://forums.phpfreaks.com/topic/17216-encrypting-cookies/#findComment-72961 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.