How do I stop someone changing their Cookie?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

How do I stop someone changing their Cookie?

Post by simonmlewis »

Apart from simply calling an administrator "a_dmin112298" for example for all administrator cookie types, how does one stop a cookie being hijacked?

Is the only way - on every "administrator" page to run a query on the datatable to query the cookie, the cookie names, etc, against the database, and only if found, then let the scripts run?

Or is there a more bulletproof method of doing it?
I suppose one could also run a session id. Store that by their name in the db table. And for each page, query the database against the cookie for the user type, the name, email, and session id??
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: How do I stop someone changing their Cookie?

Post by pickle »

Don't trust cookies. Period. There is no way to prevent the user from modifying their cookie values. Use session variables instead - they stay on the server.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do I stop someone changing their Cookie?

Post by simonmlewis »

Yeah, am working on a combo of the lot at the moment.
So it checks their email, name, type of account AND session ID on the DB.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: How do I stop someone changing their Cookie?

Post by requinix »

Session attacks and "remember me" options aside, all you need is the session cookie. Store all your information in the session and don't use any additional cookies.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do I stop someone changing their Cookie?

Post by simonmlewis »

So just register the random session ID in the DB, and query it agains the DB or just against a cookie to which it is assigned?
But I need to have levels to the system. Users and Adminstrators.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: How do I stop someone changing their Cookie?

Post by requinix »

You don't have to do anything with the database.

1. When they log in or whatever, store useful information like user ID, name, email, access level, whatever in the session.
2. When they browse, your code checks the session to see if they're logged in. If so, grab whatever information you want from it.
3. If they're not logged in then the information isn't there and you do whatever, like send them to a login page or give an error message.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do I stop someone changing their Cookie?

Post by simonmlewis »

So what is stopping someone logging in, and changing their cookie to try and gain access as "administrator" for example?
Surely it needs to check their session id is the same session id as that assigned to that person, who is in the db as an administrator?

For example. I login. Let's say my level is "generaluser". And my session id is stored as 1234.
I change my level as "administrator".

What's stopping me from accessing administrator areas? Surely if I login and get session id 7766 stored against my DB row by my name, email and user type, it checks that for each admin page. And if my logged in session ID of 7766, is in the db against my details, I am given access??

Or am over over thinking this??
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: How do I stop someone changing their Cookie?

Post by requinix »

simonmlewis wrote:So what is stopping someone logging in, and changing their cookie to try and gain access as "administrator" for example?...
...You know that the session cookie doesn't actually contain the session data, right? It's just an ID that PHP uses to look up the data on the server. Note the "on the server" part of that last sentence.

Yes they can change the cookie all they want, but they'd have to successfully guess the session ID of an administrator user. Like this site seems (it's a bit cryptic) to use a 256-bit session ID - that's approximately

Code: Select all

11580000000000000000000000000000000000000000000000000000000000000000000
different possible session IDs.

Don't get me wrong, there are attacks relating to session IDs (which you can take measures against), but simply editing your session cookie is not one of them.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do I stop someone changing their Cookie?

Post by simonmlewis »

But how do you differentiate between a user and an administrator.
How do you query on the administrator pages, if they are allowed it? Surely you have to put the session id into the DB, and then query both the session and cookie against the db?

I must really be missing something here.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: How do I stop someone changing their Cookie?

Post by requinix »

You are.

Forget the session ID. It's irrelevant to this discussion.

Pretend the session is a "database" that you can put information into, with the advantage that it loads and saves for just the current user. When someone logs in you now know who they really are (besides just some anonymous visitor) and can use your real database to get information about them. Then you put that information into the session "database", and whenever you want to know information about the current user you look to the session.

Access level you say? When the user logs in you grab, among other things that could be useful, their access level, and you store that somewhere in the session. Want to know if they can visit an admin page? Use the access level you stored in the session to decide if they should be allowed.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do I stop someone changing their Cookie?

Post by simonmlewis »

So I don't use Cookies at all?
I've never used a session like a database. I've only done it as lots of individual sessions:
sessionid
orderby
catid
And so on. Are you suggesting it all goes into ONE session???
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do I stop someone changing their Cookie?

Post by simonmlewis »

When they login, do I store each separate entitiy in a separate session?
Then query each session (id, email, userrole) per page?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: How do I stop someone changing their Cookie?

Post by requinix »

I don't even know what you're saying anymore. Would be really nice if you could learn the terminology.

Your admin page.

Code: Select all

<?php

session_start();

if (!isset($_SESSION["loggedin"])) {
	// not logged in
	header("Location: /login.php");
	exit;
} else if (!$_SESSION["admin"]) {
	// not an admin
	header("Location: /notallowed.php");
	exit;
}

// otherwise the user is logged in and an admin

?>
Login page.

Code: Select all

<?php

session_start();

if (isset($_SESSION["loggedin"])) {
	// already logged in
	header("Location: /");
	exit;
}

// otherwise the user is not logged in yet

if (isset($_POST["submit"])) {
	$user = // get user information
	if ($user) {
		// user exists
		$_SESSION["loggedin"] = true;
		$_SESSION["username"] = $user["username"];
		$_SESSION["admin"] = ($user["access"] >= 10); // eg, if 10 meant "admin"
		header("Location: /");
		exit;
	} else {
		// no such user. redisplay form
	}
}

?>
login form here
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do I stop someone changing their Cookie?

Post by simonmlewis »

Code: Select all


if(isset($_SESSION['sessionid']))
{
    $sessionid= $_REQUEST['sessionid'];
}
I'm simple saying, after all sessions have been stored/set, one of these per session?
so session id, email, firstname (if I want to use their name on screen), userrole etc.

Then query $userrole from the session, to see if they are allowed to access a page.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: How do I stop someone changing their Cookie?

Post by requinix »

FORGET THE SESSION ID

You want the email, firstname, and userrole?

Code: Select all

if (isset($_SESSION["loggedin"])) {
	$email = $_SESSION["email"];
	$firstname = $_SESSION["firstname"];
	$userrole = $_SESSION["userrole"];
}
You put those in the session when the user logs in.

Code: Select all

// if the user has logged in successfully and you've grabbed all the data {
	$_SESSION["email"] = // email
	$_SESSION["firstname"] = // firstname
	$_SESSION["userrole"] = // userrole
// }
Post Reply