Cookie Security Question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Citizen
Forum Contributor
Posts: 300
Joined: Wed Jul 20, 2005 10:23 am

Cookie Security Question

Post by Citizen »

If i use the following code to create a cookie to remember the logged in user...

Code: Select all

setcookie("user_id", $user, time()+3600);
$user is the user's id number. When they revisit the site, we'll use that cookie to auto-log them in.

What are the security vulnerabilities here? Usually in cookie security discussions, people go into depth about XSS, but what about a user trying to log in as a different user? Can't that cookie be fabricated?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Cookie Security Question

Post by jackpf »

The user can modify the cookie's contents to whatever they want...just thought I'd let you know incase you didn't already :)
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Cookie Security Question

Post by Darhazer »

you should have some random string generated when the user logs in, which is saved to the cookie... and then use that string for verification. In this way the user won't be able to log as another user with just changing the id, he will need to steal the other user's cookie to get his random string.
Citizen
Forum Contributor
Posts: 300
Joined: Wed Jul 20, 2005 10:23 am

Re: Cookie Security Question

Post by Citizen »

Right, that was my understanding of it. I ran across a script today that simply stores the user id as the cookie and that's the only security measure in place. :o
Post Reply