PHP Security

[virtuexru]

As far as checking to see if users are logged in, are cookies secure enough? Can a hacker edit a cookie somehow?

 

This is what I use right now:

 

if($_COOKIE['user_logged'] == false) {
  echo "sensitive information";
}
else
{
  include('login.php');
}

[per1os]

Usually you store the username or userid with a md5 hashed password to verify against the db on each page. This can be done in cookies or in a session variable. As long as the password is hashed up so it is not visible it is a pretty secure way, there are always flaws that can happen but yes that is how most sites work.

[virtuexru]

Well, I basically did this:

 

If you are not authed ($_COOKIE['user_logged'] == false), I redirect you to login.

 

There, I hash the PW in SHA1, set it against the DB, if everything is OK you get a cookie that you have been logged successfully (which expires in 12 hours).

 

Once that's done, all the other pages I just check against whether or not user cookie has been logged.

[MadTechie]

bad idea to store login settings in a cookie,

store their name sure but they could edit the cookie in anyway they see fit

 

ie without loggin in they could chage the cookie to true and their in.. unless you have other checks

[virtuexru]

What if I made the cookie

 

$_COOKIE['user_logged']

 

to equal some kind of random 16-bit hash?

[MadTechie]

OK look at it this way you assume it will expire in 12 hours but they can change that to 12 years..

cookies are not secure..

 

anything that a user can edit is basically a security risk..

 

to make it harder i guess you could have 2 cookies

 

1. $_COOKIE['user_logged'] = date&time (12 hour from set)

2. $_COOKIE['user_loggedH'] = MD5+SALT of $_COOKIE['user_logged']

 

the salt could be static to your site (dynamic is better)

so you check salt+md5 = $_COOKIE['user_logged'] then check if that time has expired..

 

just an idea

[conker87]

I store the username and password in a cookie. But before every "sensitive" page/data is displayed I have the following code:

 

<?php
      if (isset($_COOKIE['my_username_cookie']))
    {
     $usernameC = $_COOKIE['my_username_cookie']; 
     $passwordC = $_COOKIE['my_password_cookie'];
     $check = mysql_query("SELECT * FROM `members_table` WHERE `username_field` = '$usernameC'")or die(mysql_error());
      while($infoCheck = mysql_fetch_array($check)) 	
       {
        if ($passwordC != $infoCheck['password']) 
         {
          // If the password cookie has been changed, this will happen.
         }
      else
         {
           // All's well! Do the including of sensitive info here.
         }
       }
?>

That's how I do it, if the password (which is md5(), obviously) in the cookie is not the same as the password in db then they get a lovely error.

 

Thank you about.com!

[MadTechie]

OK let me just logon to your site and get a cookie set..

 

Great.. now let me edit the username to include some SQL injection

thats the first problem i see

 

ie set the cookie to

a' or 1=1--

so SQL =

SELECT * FROM `members_table` WHERE `username_field` = 'a' or 1=1--'

 

of course i could just drop your tables or update the password infact anything i please.

 

in other words filter ALL user input this includes cookies as they can be edited by the user

 

as for storing the password, i hope you also used salt..

personally i could have a "tagcode" or the UserID

so if cookie_userid & cookie_username match and leave the password out.. (maybe md5 the username)

[conker87]

Would sessions be safer? Using the PHPSESSION=<loadsofcraphere> in the URL?

[MadTechie]

Sessions are safer, but expire (based on server settings)

you could applie a filter

 

<?php
$usernameC = preg_replace('/[^0-9a-z]/i', '', $_COOKIE['my_username_cookie']);
$passwordC = preg_replace('/[^0-9a-z]/i', '', $_COOKIE['my_password_cookie']);
?>

will change

a' or 1=1--

to safer

aor11

 

it will removel everything thats NOT a-z (upper and lower case) or 0-9.