Jump to content

cookie security


nvee

Recommended Posts

Hey Guys

 

Im busy with my logic script and I am giving the user the ability to either just log in for a session (normal session usage) or "remember me" which then creates a cookie. Now I have the session thing under control.

 

Once the user has been authenticated, I create a session variable for username, active (which is 1) and then one called $_SESSION = session_id();

 

On each page I authenticate the user by checking if the $_SESSION["username"] matches the username in the database and also check if the $_SESSION["id"] is infact the session_id(); With this, I feel the security is a little stronger than just checking the session exist or just checking a username.

 

Now for the cookie I want to do something similiar. I have already setcookie("username",$username) but I am not sure if there is a php command to check if the cookiename is the same as a cookie_id(). Is there even something called cookie_id? Would it matter seeing that the user can gain access to it anyways? What is the best form of security using cookies?

Link to comment
Share on other sites

Hey Guys

 

Im busy with my logic script and I am giving the user the ability to either just log in for a session (normal session usage) or "remember me" which then creates a cookie. Now I have the session thing under control.

 

Once the user has been authenticated, I create a session variable for username, active (which is 1) and then one called $_SESSION = session_id();

 

On each page I authenticate the user by checking if the $_SESSION["username"] matches the username in the database and also check if the $_SESSION["id"] is infact the session_id(); With this, I feel the security is a little stronger than just checking the session exist or just checking a username.

 

Now for the cookie I want to do something similiar. I have already setcookie("username",$username) but I am not sure if there is a php command to check if the cookiename is the same as a cookie_id(). Is there even something called cookie_id? Would it matter seeing that the user can gain access to it anyways? What is the best form of security using cookies?

 

Ehm, your qustion is abaout how cookie's works right?.. Its like this:

<?
function create_cookie(){
	$expire = time()+24*60*60;
	setcookie("cookie_name", "string that the cookie contains", $expire);
}

if($_COOKIE['cookie_name']){ echo 'Theres a cookie! Cookie contains: '.$_COOKIE['cookie_name']; }else{ echo 'Theres no cookie.'; }
?>

Link to comment
Share on other sites

If I am not mistaken cookies dont' have theyr uniques ids like sessions do.

But u can do it by your self. So when user logs-in and he checked "remember me" do like so

 

if(remember)

{

//set user_name cookie

//set user_pass cookie

 

$cookie_id = md5("_sand_".time());

//set cookie_id cookie

//store this cookie_id into accounts table (UPDATE account SET cid=$cookie_id WHERE ...)

}

 

 

then when visitor comes back to your site

 

//start session

//set sessions['id']

//check if cookies are set and that all three values matches the data on database

and if it does

if(cookies are coorect)

{

  sessions['loged'] = 1

}

Link to comment
Share on other sites

You are correct in your assumption you can assign a cookie to the user with a unique identifier that will allow you to authenticate them. But you have to ensure that the ID is unique or else you may need a couple of cookies. Also if the user comes back with the cookie after being inactive for awhile you may want to reauthenticate before you let them make any kind of changes or do something that requires explicit authentication.

Link to comment
Share on other sites

Okay I am partially getting what Sader is trying to do:

 

Add a field in the user database with cookie_id - Then when the user logs in, I create a md5 cookie password, store than in the database. Then when the user returns I connect to the database and check if the cookie_id has the correct cookie ID? The problem with this is, someone can get the cookie ID from the cookie file stored locally, and then still use it, so although this form of security sounds like it is heading in the right direction, I am not sure if it is the right way?

 

What I think might work slightly better is:

 

if(successful login)

$random(1000,999999);

set_cookie("user_id","$random",time()+7200);

$dbid = md5($random);

Then write the $dbid to the database.

 

This way, if a hacker is stupid, he will see the dbid and never know that it was actually md5d to the database. So if he tries to authenticate with just the user_id, it will deny him because he first needs to md5 it back before usage?

 

I mean, this is a secure way of doing it right? It sounds alot to me like cookies are not safe at all! :)

Link to comment
Share on other sites

Cookies are not secure that is why you never store any sensitive data in a cookie. However by creating links to the users information via a cookie we can help to keep that users experince more pleasant. If a hacker hacks your server then they will surely see your php code that shows them how you confirm users, in which case you are simply screwed. If a hacker gets into your database they will still have the correct dbid but he will need to know that before it gets run through your login that it needs to be reversed through md5, which is theoretically impossible because of the number of possible answers. However if he gets any answer that translates to the correct md5 sum then he can get authenticated because it will pass according to your md5 sum. Truth is md5 is vulnerable because rainbow tables have been created and there are many values that will wind up giving the same md5 sum. Either way if a hacker hacks your server or your database it is very hard to prevent what they can and can not do with the knowledge that they now have access to. You should limit the scope of your security to the level of cookies and database inputs. Then create a seperate level to address what if issues; like if a hacker cracked your server or database or both, then resolve what you can do to minimize the damage they can do.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.