Integrity of cookies set by PHP

Hi,

I want to use one of my browsers on my computer as a “testing browser”; when visiting my site via the testing browser, my site will connect to a test database, for example. My thought was to use PHP’s setcookie function to create a cookie called “test”, or something like that, and then give it a value of 1. Then, every time I would visit my site through that particular browser, the site would be in “test mode”. The initial setting of the cookie would be done through a password protected page, so the cookie would be set just in my browser.

My question is whether a user could create a cookie client side called test, set it to a value of 1, and then view my test mode. And, if this is the case, would a more secure way of doing this be to create a cookie with a more interesting name as “HeYTRyTOGUessME” and set it to 1?

Thanks!

You’d be better off creating a really obscure value, not just 1 - kind of like a sessionID

Or you could just… put your test code in a seperate directory.

Thanks for the quick response and advice! And, am I correct then in thinking that it’s possible for a user to change a cookie client side?

Anything that gets handed to the client can be altered by the client. (Which is why you never ever trust user input.)

I thought about doing that, but part of the “test” code is allowing myself to see some up to the second site statistics that are for my eyes only.

I did something similar for the QA at my job so that they can change some specific options (date, etc), but it wasn’t directly in production. We had servers specifically for testing purpose. If you’re in a professional environment, maybe that’s the best way to go… Also, what’s the consequences of a user finding your special cookie? Will he have access to special features or just other random data? If it’s not really an issue, IMO, there’s not a need to make it super complicated to guess…

If you need something a bit more secure, maybe add a check on the IP address also, just to be certain. :wink:

Edit: Or, you know, a secure login function… that’s what they are for :wink:

OK! Thanks, again…

I thought about the secure login, but wanted to keep things a bit simpler if possible.

If you’re on Apache and your code is separate, you can easily secure that code with an ugly user/password box…

That won’t quite work for what I’m trying to accomplish here. But, I do use the ugly Apache log in for some other parts of my site. :smile: