localhost Posted August 11, 2006 Share Posted August 11, 2006 right now on my website, if you have a cookie editor, you can edit the user_name cookie from any username, to any username and act like anyone! I need to know how I can encrypt it so the user won't be able to change it without it messing up the cookie entirely. but I need it so I can decrypt it so I can display the username, unless there is another way?Please post back. Quote Link to comment Share on other sites More sharing options...
redarrow Posted August 11, 2006 Share Posted August 11, 2006 there you go all you need ok.http://www.phpmag.net/itr/online_artikel/psecom,id,667,nodeid,114.html Quote Link to comment Share on other sites More sharing options...
localhost Posted August 11, 2006 Author Share Posted August 11, 2006 Well this is for forum software, so we cannot make it so they need to install something just to use it! Quote Link to comment Share on other sites More sharing options...
corbin Posted August 11, 2006 Share Posted August 11, 2006 You could use a reversable encryption method... That would almost as point less as no encryption though... Funny thing is, i discovered my ISP's webmail site had the flaw of encrypting a username in a cookie... But no password so someone could just make a md5 username put it in the right cookie and be in as someone else... Bout 3 days after i figured that out their webmail site changed :DHow does your login script and you script that creates the cookie work? Quote Link to comment Share on other sites More sharing options...
localhost Posted August 11, 2006 Author Share Posted August 11, 2006 well right now i have it so on registration it creates a random number 1-9999999 and then md5's it. that is their loginkey, the cookie that is created, its content is userid-loginkey, so like '213-f761938942d1c06c9fb4b2d1644d147f'Do you think this is secure enough? Quote Link to comment Share on other sites More sharing options...
corbin Posted August 11, 2006 Share Posted August 11, 2006 So their login key is pretty much a password your script generates right? Anyways you could just make it md5 the entire userid-login key thing then just compare the userid-login key in the cookie or in a form in a login script to the database one... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.