Cookie Security: Validating cookies

Small, short code snippets that other people may find useful. Do you have a good regex that you would like to share? Share it! Even better, the code can be commented on, and improved.

Moderator: General Moderators

Post Reply
thegreatone2176
Forum Contributor
Posts: 102
Joined: Sun Jul 11, 2004 1:27 pm

Cookie Security: Validating cookies

Post by thegreatone2176 »

For people that still use cookies in their site its vital that they cant be edited in any manner. I used this in the include the was on every page to be extra safe.

Code: Select all

<?php
if (isset($HTTP_COOKIE_VARS&#1111;'Username']) && isset($HTTP_COOKIE_VARS&#1111;'Password'])){
$user = $HTTP_COOKIE_VARS&#1111;'Username'];
$pass = $HTTP_COOKIE_VARS&#1111;'Password'];
$link = "SELECT * FROM members_table WHERE username='$user' AND password='$pass'";
$res = mysql_query($link);
$check = mysql_num_rows($res);
if ($check == 0){
echo "Dont edit the cookie!";
echo '<meta http-equiv=refresh content="1; url=logout.php">';
die;
}
}
if (isset($HTTP_COOKIE_VARS&#1111;'Username']) && (!isset($HTTP_COOKIE_VARS&#1111;'Password']))){
echo "Dont edit the cookie!";
echo '<meta http-equiv=refresh content="1; url=logout.php">';
die;
}
if (!isset($HTTP_COOKIE_VARS&#1111;'Username']) && (isset($HTTP_COOKIE_VARS&#1111;'Password']))){
echo "Dont edit the cookie!";
echo '<meta http-equiv=refresh content="1; url=logout.php">';
die;
}
?>

If both are set then the first if checks to make sure the username and password match. The next two if's run if only one is set. If any condition is met then the user is sent to logout.php which destroys the cookie.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

i thought that by now most of us would know that passing the credentials between server and client in a cookie are just plain evil.

only send them an id, let's call it session_id, and then store the data on the server-side in a database... and every time the user provides this cookie, check the database if the id is valid, check if the time hasn't expired, check if he's still using the same browser, etc... virtually: re-invent sessions :p
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

I made a few changes out of boredom for you thegreatone2176.

Code: Select all

<?php
/*
 * EDIT BY Joe, devnetwork.net
 * 26th February 2005
 *
*/

function prepare_db_input($element) &#123;
 //Database input preperation to avoid injections and such

 str_replace("<","",$element);
 str_replace(">","",$element);
 str_replace("*","",$element);
 str_replace("'","",$element);
 str_replace('"','',$element);

 return $element;
&#125;

function check_login_cookie($username, $password)
  if (isset($username) && isset($password))&#123;

   $user = prepare_db_input($username);  //Prepare database input
   $pass = prepare_db_input($password);   //Prepare database input

   $link = "SELECT * FROM members_table WHERE username='$user' AND password='$pass'";
   $res = mysql_query($link) or die(mysql_error());
   $check = mysql_num_rows($res);

    if (empty($check) || $check <= 0)&#123;
     echo "Dont edit the cookie!";
     echo '<meta http-equiv=refresh content="1; url=logout.php">';
     exit;
   &#125;
&#125;

if (isset($username) && (!isset($password)))&#123;
  echo "Dont edit the cookie!";
  echo '<meta http-equiv=refresh content="1; url=logout.php">';
  exit;
&#125;

if (!isset($username) && (isset($password)))&#123;
  echo "Dont edit the cookie!";
  echo '<meta http-equiv=refresh content="1; url=logout.php">';
  exit;
&#125; 
?>

<?php
//Call the cookie checking function
check_login_cookie($HTTP_COOKIE_VARS&#1111;'Username'], $HTTP_COOKIE_VARS&#1111;'Password'])
?>

Joe 8)
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Also, I noticed that some browsers have the meta refreshes switched off (Disabled) so it is wise to create somthing in there which allows the user to click if they are not redirected within a given amount of time.
Post Reply