Page 1 of 2
How do I stop someone changing their Cookie?
Posted: Mon Dec 02, 2013 10:08 am
by simonmlewis
Apart from simply calling an administrator "a_dmin112298" for example for all administrator cookie types, how does one stop a cookie being hijacked?
Is the only way - on every "administrator" page to run a query on the datatable to query the cookie, the cookie names, etc, against the database, and only if found, then let the scripts run?
Or is there a more bulletproof method of doing it?
I suppose one could also run a session id. Store that by their name in the db table. And for each page, query the database against the cookie for the user type, the name, email, and session id??
Re: How do I stop someone changing their Cookie?
Posted: Mon Dec 02, 2013 10:14 am
by pickle
Don't trust cookies. Period. There is no way to prevent the user from modifying their cookie values. Use session variables instead - they stay on the server.
Re: How do I stop someone changing their Cookie?
Posted: Mon Dec 02, 2013 10:17 am
by simonmlewis
Yeah, am working on a combo of the lot at the moment.
So it checks their email, name, type of account AND session ID on the DB.
Re: How do I stop someone changing their Cookie?
Posted: Mon Dec 02, 2013 4:28 pm
by requinix
Session attacks and "remember me" options aside, all you need is the session cookie. Store all your information in the session and don't use any additional cookies.
Re: How do I stop someone changing their Cookie?
Posted: Mon Dec 02, 2013 4:32 pm
by simonmlewis
So just register the random session ID in the DB, and query it agains the DB or just against a cookie to which it is assigned?
But I need to have levels to the system. Users and Adminstrators.
Re: How do I stop someone changing their Cookie?
Posted: Mon Dec 02, 2013 5:14 pm
by requinix
You don't have to do anything with the database.
1. When they log in or whatever, store useful information like user ID, name, email, access level, whatever in the session.
2. When they browse, your code checks the session to see if they're logged in. If so, grab whatever information you want from it.
3. If they're not logged in then the information isn't there and you do whatever, like send them to a login page or give an error message.
Re: How do I stop someone changing their Cookie?
Posted: Mon Dec 02, 2013 5:22 pm
by simonmlewis
So what is stopping someone logging in, and changing their cookie to try and gain access as "administrator" for example?
Surely it needs to check their session id is the same session id as that assigned to that person, who is in the db as an administrator?
For example. I login. Let's say my level is "generaluser". And my session id is stored as 1234.
I change my level as "administrator".
What's stopping me from accessing administrator areas? Surely if I login and get session id 7766 stored against my DB row by my name, email and user type, it checks that for each admin page. And if my logged in session ID of 7766, is in the db against my details, I am given access??
Or am over over thinking this??
Re: How do I stop someone changing their Cookie?
Posted: Mon Dec 02, 2013 7:41 pm
by requinix
simonmlewis wrote:So what is stopping someone logging in, and changing their cookie to try and gain access as "administrator" for example?...
...You know that the session cookie doesn't actually contain the session data, right? It's just an ID that PHP uses to look up the data on the server. Note the "on the server" part of that last sentence.
Yes they can change the cookie all they want, but they'd have to successfully guess the session ID of an administrator user. Like this site seems (it's a bit cryptic) to use a 256-bit session ID - that's approximately
Code: Select all
11580000000000000000000000000000000000000000000000000000000000000000000
different possible session IDs.
Don't get me wrong, there are attacks relating to session IDs (which you can take measures against), but simply editing your session cookie is not one of them.
Re: How do I stop someone changing their Cookie?
Posted: Tue Dec 03, 2013 2:47 am
by simonmlewis
But how do you differentiate between a user and an administrator.
How do you query on the administrator pages, if they are allowed it? Surely you have to put the session id into the DB, and then query both the session and cookie against the db?
I must really be missing something here.
Re: How do I stop someone changing their Cookie?
Posted: Tue Dec 03, 2013 3:56 am
by requinix
You are.
Forget the session ID. It's irrelevant to this discussion.
Pretend the session is a "database" that you can put information into, with the advantage that it loads and saves for just the current user. When someone logs in you now know who they really are (besides just some anonymous visitor) and can use your real database to get information about them. Then you put that information into the session "database", and whenever you want to know information about the current user you look to the session.
Access level you say? When the user logs in you grab, among other things that could be useful, their access level, and you store that somewhere in the session. Want to know if they can visit an admin page? Use the access level you stored in the session to decide if they should be allowed.
Re: How do I stop someone changing their Cookie?
Posted: Tue Dec 03, 2013 4:02 am
by simonmlewis
So I don't use Cookies at all?
I've never used a session like a database. I've only done it as lots of individual sessions:
sessionid
orderby
catid
And so on. Are you suggesting it all goes into ONE session???
Re: How do I stop someone changing their Cookie?
Posted: Tue Dec 03, 2013 12:46 pm
by simonmlewis
When they login, do I store each separate entitiy in a separate session?
Then query each session (id, email, userrole) per page?
Re: How do I stop someone changing their Cookie?
Posted: Tue Dec 03, 2013 12:52 pm
by requinix
I don't even know what you're saying anymore. Would be really nice if you could learn the terminology.
Your admin page.
Code: Select all
<?php
session_start();
if (!isset($_SESSION["loggedin"])) {
// not logged in
header("Location: /login.php");
exit;
} else if (!$_SESSION["admin"]) {
// not an admin
header("Location: /notallowed.php");
exit;
}
// otherwise the user is logged in and an admin
?>
Login page.
Code: Select all
<?php
session_start();
if (isset($_SESSION["loggedin"])) {
// already logged in
header("Location: /");
exit;
}
// otherwise the user is not logged in yet
if (isset($_POST["submit"])) {
$user = // get user information
if ($user) {
// user exists
$_SESSION["loggedin"] = true;
$_SESSION["username"] = $user["username"];
$_SESSION["admin"] = ($user["access"] >= 10); // eg, if 10 meant "admin"
header("Location: /");
exit;
} else {
// no such user. redisplay form
}
}
?>
login form here
Re: How do I stop someone changing their Cookie?
Posted: Tue Dec 03, 2013 1:34 pm
by simonmlewis
Code: Select all
if(isset($_SESSION['sessionid']))
{
$sessionid= $_REQUEST['sessionid'];
}
I'm simple saying, after all sessions have been stored/set, one of these per session?
so session id, email, firstname (if I want to use their name on screen), userrole etc.
Then query $userrole from the session, to see if they are allowed to access a page.
Re: How do I stop someone changing their Cookie?
Posted: Tue Dec 03, 2013 1:38 pm
by requinix
FORGET THE SESSION ID
You want the email, firstname, and userrole?
Code: Select all
if (isset($_SESSION["loggedin"])) {
$email = $_SESSION["email"];
$firstname = $_SESSION["firstname"];
$userrole = $_SESSION["userrole"];
}
You put those in the session when the user logs in.
Code: Select all
// if the user has logged in successfully and you've grabbed all the data {
$_SESSION["email"] = // email
$_SESSION["firstname"] = // firstname
$_SESSION["userrole"] = // userrole
// }