SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    Level 8 Chinese guy Archbob's Avatar
    Join Date
    Sep 2001
    Location
    Somewhere in this vast universe
    Posts
    3,741
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Cookies and Security issues

    Hi, I'm wondering about the security of Cookies. I know they are sent via http header files but it is just a text file. Can't someone just make a text file with the same attributes to hack cookies?

  2. #2
    Wanna-be Apple nut silver trophy M. Johansson's Avatar
    Join Date
    Sep 2000
    Location
    Halmstad, Sweden
    Posts
    7,400
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Cookies can be faked, yes. Never trust information coming from the user.
    Mattias Johansson
    Short, Swedish, Web Developer

    Buttons and Dog Tags with your custom design:
    FatStatement.com

  3. #3
    Level 8 Chinese guy Archbob's Avatar
    Join Date
    Sep 2001
    Location
    Somewhere in this vast universe
    Posts
    3,741
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So how do message board such as phpBB and invision, protect from that?

  4. #4
    Put your best practices away. The New Guy's Avatar
    Join Date
    Sep 2002
    Location
    Canada
    Posts
    2,087
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    I dont think they really can.

    There are only two ways to spoof a cookie. Actually taking the cookie from someone who has logged on use that (not likely)

    The other way is to try the trillions and trillions of combinations of md5 strings (assuming you used md5 which you should). This is the most likely of the two, but even then extremely rare.

    To find out the md5 string they could just randomly try, or they can gather information on the user and try to combine it to hopefully recreate the md5 key.

    That is why alot of forum software does something like this:

    PHP Code:
    <?php
    $keyword 
    "blah";
    $string md5($username.$email.$keyword);
    // more protection
    $string md5($string);
    ?>
    only you know the keyword so even if they knew the username and email they will never beable to make the correct string unless they know what your keyword is.

    Hope this helps
    "A nerd who gets contacts
    and a trendy hair cut is still a nerd"

    - Stephen Colbert on Apple Users

  5. #5
    Level 8 Chinese guy Archbob's Avatar
    Join Date
    Sep 2001
    Location
    Somewhere in this vast universe
    Posts
    3,741
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So Cookies are already hashed when they are sent via http headers?

    So if I do a setcookie() command, the cookie I send is already encrypted?

  6. #6
    Put your best practices away. The New Guy's Avatar
    Join Date
    Sep 2002
    Location
    Canada
    Posts
    2,087
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    No, its not encrypted at all, thats why you manually need to hash the data before setting the cookie.
    "A nerd who gets contacts
    and a trendy hair cut is still a nerd"

    - Stephen Colbert on Apple Users

  7. #7
    SitePoint Zealot jadmadi's Avatar
    Join Date
    Sep 2003
    Location
    Jordan
    Posts
    154
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    php session is much better and secure
    however there is session hijacking
    I believe there is no 100% secure application.

  8. #8
    Level 8 Chinese guy Archbob's Avatar
    Join Date
    Sep 2001
    Location
    Somewhere in this vast universe
    Posts
    3,741
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Now my test cookie just doesn't work:
    PHP Code:
    setcookie("massivechipmunk","chipmunk",time()+3600,'/',".chipmunk-scripts.com",1) or die("2"); 
    This is just not setting a cookie, I tried it without the 1 parameter at the end also and it still didn't work, what am I doing wrong?

  9. #9
    SitePoint Zealot jadmadi's Avatar
    Join Date
    Sep 2003
    Location
    Jordan
    Posts
    154
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good article about Using cookies in PHP
    http://www.potentialcreations.com/articles/cookies1.php

  10. #10
    Put your best practices away. The New Guy's Avatar
    Join Date
    Sep 2002
    Location
    Canada
    Posts
    2,087
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Archbob
    Now my test cookie just doesn't work:
    PHP Code:
    setcookie("massivechipmunk","chipmunk",time()+3600,'/',".chipmunk-scripts.com",1) or die("2"); 
    This is just not setting a cookie, I tried it without the 1 parameter at the end also and it still didn't work, what am I doing wrong?
    The 1 on the end makes the cookie only work on a https connection (secure) change it to 0 unless your using it with https.
    "A nerd who gets contacts
    and a trendy hair cut is still a nerd"

    - Stephen Colbert on Apple Users


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •