Page 1 of 1

Cookie Security Question

Posted: Fri Sep 11, 2009 1:03 pm
by Citizen
If i use the following code to create a cookie to remember the logged in user...

Code: Select all

setcookie("user_id", $user, time()+3600);
$user is the user's id number. When they revisit the site, we'll use that cookie to auto-log them in.

What are the security vulnerabilities here? Usually in cookie security discussions, people go into depth about XSS, but what about a user trying to log in as a different user? Can't that cookie be fabricated?

Re: Cookie Security Question

Posted: Fri Sep 11, 2009 2:02 pm
by jackpf
The user can modify the cookie's contents to whatever they want...just thought I'd let you know incase you didn't already :)

Re: Cookie Security Question

Posted: Fri Sep 11, 2009 2:06 pm
by Darhazer
you should have some random string generated when the user logs in, which is saved to the cookie... and then use that string for verification. In this way the user won't be able to log as another user with just changing the id, he will need to steal the other user's cookie to get his random string.

Re: Cookie Security Question

Posted: Fri Sep 11, 2009 2:28 pm
by Citizen
Right, that was my understanding of it. I ran across a script today that simply stores the user id as the cookie and that's the only security measure in place. :o