What's to stop someone from changing cookie/session value

[9three]

Hey,

 

I've been thinking about session/cookie security lately as my site runs off of that to produce dynamic results.

 

What's to stop someone from opening up their cookie folder and editing out the session/cookie file named ID and change the ID to something else? When they change that then the ID will match another customer, thus providing another customer's information.

 

How do you go making the sure ID is assigned to the correct user? Or is it not possible to edit session in that manner that I speak of?

[roopurt18]

There's nothing to stop them from doing so.

 

I don't store any information in cookies, except for the php session id (which happens automatically), for this very reason.

 

Any user specific information should be kept in the $_SESSION array (which never travels to the client machine) or inside the database.

 

If you follow that guideline, then the only danger you have is session hijacking.  If the client machine, server machine, or the network connection between the two is compromised then it would be possible for a third party to extract the session id information and impersonate that user.

 

You can protect the server by following best practices in server administration and code development.

 

You can ignore insecurities that occur over the network (to some extent) by using an HTTPS connection.

 

There's not much you can do to prevent your clients / users from compromising their machines though, as they're typically used by average people.  One thing you can implement, is to prompt for a password that only the account holder would know when making extremely important updates or changes to account data.

[9three]

So you're saying

 

$_SESSION['id'] = 12345;

 

Will never travel to the client's machine?

 

Well what if you have a "remember me" function... That would need to be stored on the client's computer. Thus storing the ID that belongs to them.

[jjacquay712]

When you use PHP's session functions, what happens is PHP sends you a unique id to store in a cookie. When you use $_SESSION the data isn't really being sent to the client, the data is being stored server side. When your browser sends the unique PHP session id to the server, the server looks up the data that relates to that certain id, and lets you access it via $_SESSION.

[mikesta707]

well as long as you don't put important stuff into the remember me cookies (besides their user and email, but its their computer, so I wouldn't really count that as a risk unless their computer got compromised, but that is something completely out of your control) if they alter their remember me cookies, then.. well.. the remember me stuff probably won't work

[9three]

Well what I'm trying to figure out how to scurely store the user ID within a cookie. Because I'm planning on adding the "remember me" function so the user doesn't have to re login again.

 

But if they can change the cookie ID then this is no good for me as they can view any customers info. What would be the safest way to approach this? I've been reading up on some tutorials but non talk about how to properly secure the cookie and/or validate it.

 

EDIT:

 

Correct me if I'm wrong but this is what I came up with to storing a cookie securely:

 

1. Set the cookie.

2. Set the cookie value encrypted.

3. Store the value encrypted into the database.

4. Check if the that value matches the correct customer id in the database

5. If step 4 fails, direct the user to the logout page to destroy all cookies/sessions.

 

 

[roopurt18]

You need to store two values in the cookie for a remember me feature:

1) username

2) a unique key (not their password!)

 

When a user requests to use the remember me feature, you need to generate a unique value and store it in both their user record in the database and in the cookie.

 

When a user visits your site, look up the username and remember_me_key from the cookie and then look for a matching row in the database.  If a matching row is found, log the user in and replace the remember_me_key with new values.

 

In this way, an attacker needs to guess both the username and the remember_me_key in order to log in as another user.

 

This still doesn't protect from session hijacking, which is a different matter altogether.  And there is still nothing you can do if your client's machine is compromised.

[9three]

Thanks that's pretty much what I had in my head.

 

PS. I'm using session_regenerate_id to help with whatever I can.