Page 1 of 1

Cookies Security

Posted: Wed Mar 12, 2003 9:02 pm
by net7
Ok, for my new site security I am using SSL and cookies with the "Basic Authentication" ($PHP_AUTH_USER etc..).

I have made it so the pages must be under a secure connection, and the cookies (user, and pass) are sent over only a secure connection ("security:1") encrypted in md5.

Then on the load of each page the user and password (encrypted) is checked against the one in the database.

I think this is about as secure as it gets... (over the internet with PHP) but I am not positive as the reason of typing this out.

Please give you input.. thx.

Posted: Wed Mar 12, 2003 11:40 pm
by McGruff
Cookies can be obtained with cross-site scripting tricks - not necessarily from your site but from another one.

Also, users on office networks are often vulenerable to various viruses which will sniff around on machines on the network, helping themselves to whatever they can find. How many networks are set up securely?

I use a system of temporary cookies with random names: each time a user logs in, they get a two-hour (or whatever you need) time limited cookie with a randomly generated name. This is stored in the user table and checked as necessary with each page load. Since it's not a permanent cookie, there isn't the same risk of cookie theft.

I don't think there is any system that can be made 100% secure, but avoiding the use of permanent cookies might be worth looking at.

I've a funny feeling that's just re-inventing the sessions wheel but I haven't got round to looking at sessions yet.

Posted: Thu Mar 13, 2003 12:21 am
by net7
Yeah I see what you get at... but what I want to know is how you can check a cookie without knowing its name? I don't quite understand.

Also, I have browsed over sessions but the first things I have read are that they are not totally secure. Maybe its just how you use them.

I am just deciding weather sessions, or possible your way would work better. By the way, I am using this security for an admin page to update news on a website.

Also, playing around with it is just kinda fun too.. anyway, if I do start some small webdesign buisiness I will want to know what I am doing :)

Posted: Thu Mar 13, 2003 1:09 pm
by McGruff
The cookie name is stored in the database - make a new column in your users table. The user must submit a valid name & pass to get a new cookie, and the new randomly generated cookie name overwrites the old name stored in the database.

This method has the overhead of a SELECT query to get the cookie name whenever you need to check the values stored in it.

The shorter the cookie time the more secure it is, but you don't want it to time out during a "session". Two hours? Something like that.

For an admin area for a news site, I guess medium level security is adequate. Permanent cookies could automatically log you in and so would be more convenient. For higher security needs, like an online shop, I'd be pulling out all the stops though.

Sorry I can't give you any advice on using sessions.

Posted: Fri Mar 21, 2003 1:48 pm
by net7
Oh ok, I misread your first message. This sounds pretty secure.. do you think it is the kind of security used on like large scale sites?