I Need Cookie Clarification
Ok, i'm confused. Can cookies be faked.
I've been looking at a few php user login/authentification scripts, and I noticed once the cookie is placed on the clients computer the only check done is to check if the particular cookie variables have been set using the isset function. Since the script only checks if the variables are set and not the actual values, couldn't someone just manufacture a cookie with the required variables, lets say username,password, and expdate. At least with sessions, the only thing thats stored on yoru computer is the session id. I know i'm missing something, can someone please clarify this.
Mark Hensler posted this at 07:23 — 17th December 2003.
He has: 4,048 posts
Joined: Aug 2000
Uh.. I would certainly stay away from any script that merely checks if a cookie var is set, and not the value of the cookie.
Personally, the only value I set in cookies is the session id (as you mentioned). Everything else gets stored in a database in a session table (using the cookie-fied session id as a key).
Can a cookie be faked. Sure. There are even ways to steal cookies, but I will not be getting into that for obvious reasons.
Mark Hensler
If there is no answer on Google, then there is no question.
section31 posted this at 07:27 — 17th December 2003.
They have: 28 posts
Joined: May 2003
I even have a few books that do that. Strange...
So I should just make a function or something that checks the values of the cookies for each time they load the page?
Mark Hensler posted this at 07:35 — 17th December 2003.
He has: 4,048 posts
Joined: Aug 2000
Yes.
Is this for auto-login functionality? I would advice some kind of encryption. You don't want plain text username/passwords in a cookie. Or perhaps use something other than a password in cookies... some kind of cookie key.
Mark Hensler
If there is no answer on Google, then there is no question.
Busy posted this at 09:03 — 17th December 2003.
He has: 6,151 posts
Joined: May 2001
what about encrypt the password twice ?
$pw = 'your_special_password';
$password = md5(md5($pw, $realpassword));
or something like that, as md5 can't be unencrypted, but can be worked out with program, esp if the users use dictionary words or numbers, adding your own password in there as well just makes that much harder.
then add it to a session inserted into a cookie
[edit] might want to run it by Mark first, he's the PHP guru [/edit]
section31 posted this at 09:04 — 17th December 2003.
They have: 28 posts
Joined: May 2003
sounds good.
section31 posted this at 23:18 — 20th December 2003.
They have: 28 posts
Joined: May 2003
Well, just to learn I decided to do it using both cookies and sessions and see which one I liked better. As for sessions, I've encountered a problem and If any of you could help that would be great.
Sessions last on the server 1440 seconds (By default). On the client, the session cookie can last as long as you want it to last by using the
session_set_cookie_params() function. The problem is, i'm trying to change how long the session lasts on the server. Is this possible on a shared server. I didn't think it would be since everyone on the server shares the same php.ini file. But then I came across on set_ini function and if it has any bearing for this particular script i'm trying to make. I noticed every time i set a certain value, it just goes back to the default after the script is terminated....so that doesn't help me at all. Does it normally stick but since i'm on a shared server it just goes back to defaults or what. What is the purpose of it.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.