How do I stop someone changing their Cookie?
Moderator: General Moderators
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
How do I stop someone changing their Cookie?
Apart from simply calling an administrator "a_dmin112298" for example for all administrator cookie types, how does one stop a cookie being hijacked?
Is the only way - on every "administrator" page to run a query on the datatable to query the cookie, the cookie names, etc, against the database, and only if found, then let the scripts run?
Or is there a more bulletproof method of doing it?
I suppose one could also run a session id. Store that by their name in the db table. And for each page, query the database against the cookie for the user type, the name, email, and session id??
Is the only way - on every "administrator" page to run a query on the datatable to query the cookie, the cookie names, etc, against the database, and only if found, then let the scripts run?
Or is there a more bulletproof method of doing it?
I suppose one could also run a session id. Store that by their name in the db table. And for each page, query the database against the cookie for the user type, the name, email, and session id??
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do I stop someone changing their Cookie?
Don't trust cookies. Period. There is no way to prevent the user from modifying their cookie values. Use session variables instead - they stay on the server.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do I stop someone changing their Cookie?
Yeah, am working on a combo of the lot at the moment.
So it checks their email, name, type of account AND session ID on the DB.
So it checks their email, name, type of account AND session ID on the DB.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do I stop someone changing their Cookie?
Session attacks and "remember me" options aside, all you need is the session cookie. Store all your information in the session and don't use any additional cookies.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do I stop someone changing their Cookie?
So just register the random session ID in the DB, and query it agains the DB or just against a cookie to which it is assigned?
But I need to have levels to the system. Users and Adminstrators.
But I need to have levels to the system. Users and Adminstrators.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do I stop someone changing their Cookie?
You don't have to do anything with the database.
1. When they log in or whatever, store useful information like user ID, name, email, access level, whatever in the session.
2. When they browse, your code checks the session to see if they're logged in. If so, grab whatever information you want from it.
3. If they're not logged in then the information isn't there and you do whatever, like send them to a login page or give an error message.
1. When they log in or whatever, store useful information like user ID, name, email, access level, whatever in the session.
2. When they browse, your code checks the session to see if they're logged in. If so, grab whatever information you want from it.
3. If they're not logged in then the information isn't there and you do whatever, like send them to a login page or give an error message.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do I stop someone changing their Cookie?
So what is stopping someone logging in, and changing their cookie to try and gain access as "administrator" for example?
Surely it needs to check their session id is the same session id as that assigned to that person, who is in the db as an administrator?
For example. I login. Let's say my level is "generaluser". And my session id is stored as 1234.
I change my level as "administrator".
What's stopping me from accessing administrator areas? Surely if I login and get session id 7766 stored against my DB row by my name, email and user type, it checks that for each admin page. And if my logged in session ID of 7766, is in the db against my details, I am given access??
Or am over over thinking this??
Surely it needs to check their session id is the same session id as that assigned to that person, who is in the db as an administrator?
For example. I login. Let's say my level is "generaluser". And my session id is stored as 1234.
I change my level as "administrator".
What's stopping me from accessing administrator areas? Surely if I login and get session id 7766 stored against my DB row by my name, email and user type, it checks that for each admin page. And if my logged in session ID of 7766, is in the db against my details, I am given access??
Or am over over thinking this??
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do I stop someone changing their Cookie?
...You know that the session cookie doesn't actually contain the session data, right? It's just an ID that PHP uses to look up the data on the server. Note the "on the server" part of that last sentence.simonmlewis wrote:So what is stopping someone logging in, and changing their cookie to try and gain access as "administrator" for example?...
Yes they can change the cookie all they want, but they'd have to successfully guess the session ID of an administrator user. Like this site seems (it's a bit cryptic) to use a 256-bit session ID - that's approximately
Code: Select all
11580000000000000000000000000000000000000000000000000000000000000000000Don't get me wrong, there are attacks relating to session IDs (which you can take measures against), but simply editing your session cookie is not one of them.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do I stop someone changing their Cookie?
But how do you differentiate between a user and an administrator.
How do you query on the administrator pages, if they are allowed it? Surely you have to put the session id into the DB, and then query both the session and cookie against the db?
I must really be missing something here.
How do you query on the administrator pages, if they are allowed it? Surely you have to put the session id into the DB, and then query both the session and cookie against the db?
I must really be missing something here.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do I stop someone changing their Cookie?
You are.
Forget the session ID. It's irrelevant to this discussion.
Pretend the session is a "database" that you can put information into, with the advantage that it loads and saves for just the current user. When someone logs in you now know who they really are (besides just some anonymous visitor) and can use your real database to get information about them. Then you put that information into the session "database", and whenever you want to know information about the current user you look to the session.
Access level you say? When the user logs in you grab, among other things that could be useful, their access level, and you store that somewhere in the session. Want to know if they can visit an admin page? Use the access level you stored in the session to decide if they should be allowed.
Forget the session ID. It's irrelevant to this discussion.
Pretend the session is a "database" that you can put information into, with the advantage that it loads and saves for just the current user. When someone logs in you now know who they really are (besides just some anonymous visitor) and can use your real database to get information about them. Then you put that information into the session "database", and whenever you want to know information about the current user you look to the session.
Access level you say? When the user logs in you grab, among other things that could be useful, their access level, and you store that somewhere in the session. Want to know if they can visit an admin page? Use the access level you stored in the session to decide if they should be allowed.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do I stop someone changing their Cookie?
So I don't use Cookies at all?
I've never used a session like a database. I've only done it as lots of individual sessions:
sessionid
orderby
catid
And so on. Are you suggesting it all goes into ONE session???
I've never used a session like a database. I've only done it as lots of individual sessions:
sessionid
orderby
catid
And so on. Are you suggesting it all goes into ONE session???
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do I stop someone changing their Cookie?
When they login, do I store each separate entitiy in a separate session?
Then query each session (id, email, userrole) per page?
Then query each session (id, email, userrole) per page?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do I stop someone changing their Cookie?
I don't even know what you're saying anymore. Would be really nice if you could learn the terminology.
Your admin page.
Login page.
Your admin page.
Code: Select all
<?php
session_start();
if (!isset($_SESSION["loggedin"])) {
// not logged in
header("Location: /login.php");
exit;
} else if (!$_SESSION["admin"]) {
// not an admin
header("Location: /notallowed.php");
exit;
}
// otherwise the user is logged in and an admin
?>Code: Select all
<?php
session_start();
if (isset($_SESSION["loggedin"])) {
// already logged in
header("Location: /");
exit;
}
// otherwise the user is not logged in yet
if (isset($_POST["submit"])) {
$user = // get user information
if ($user) {
// user exists
$_SESSION["loggedin"] = true;
$_SESSION["username"] = $user["username"];
$_SESSION["admin"] = ($user["access"] >= 10); // eg, if 10 meant "admin"
header("Location: /");
exit;
} else {
// no such user. redisplay form
}
}
?>
login form here-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do I stop someone changing their Cookie?
Code: Select all
if(isset($_SESSION['sessionid']))
{
$sessionid= $_REQUEST['sessionid'];
}
so session id, email, firstname (if I want to use their name on screen), userrole etc.
Then query $userrole from the session, to see if they are allowed to access a page.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do I stop someone changing their Cookie?
FORGET THE SESSION ID
You want the email, firstname, and userrole?
You put those in the session when the user logs in.
You want the email, firstname, and userrole?
Code: Select all
if (isset($_SESSION["loggedin"])) {
$email = $_SESSION["email"];
$firstname = $_SESSION["firstname"];
$userrole = $_SESSION["userrole"];
}Code: Select all
// if the user has logged in successfully and you've grabbed all the data {
$_SESSION["email"] = // email
$_SESSION["firstname"] = // firstname
$_SESSION["userrole"] = // userrole
// }