Trouble with $_COOKIE

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Chrisaster
Forum Newbie
Posts: 8
Joined: Fri May 15, 2009 2:13 pm
Location: England

Trouble with $_COOKIE

Post by Chrisaster »

I've just been told that I have a security issue in the way I authorise users on my site, but I have no idea what the problem is or how I can fix it. Here is the code I am using for pages that require the user to be logged in:

Code: Select all

<?php
    function AuthUser()
    {
        if (isset($_COOKIE["user"]))
        {
            $loggedin = $_COOKIE["user"];
        }
        else
        {
            header("Location: /login.php");
        }
    }
?>
I did a quick search for 'PHP cookie exploits' but I couldn't find anything that would help me solve the problem.
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Trouble with $_COOKIE

Post by Darhazer »

I can set this cookie myself...
You are not validating the cookie data in any way, and if the data in the cookie is used for authentication, it should contain a temporary key and not the exact username or password, as cookie is easy to steal. Better use sessions (in that case the cookie will hold only the session id, which is valid only while the session is valid... use the session_regenerate_id function to prevent the session fixation attach)
User avatar
Chrisaster
Forum Newbie
Posts: 8
Joined: Fri May 15, 2009 2:13 pm
Location: England

Re: Trouble with $_COOKIE

Post by Chrisaster »

Darhazer wrote:I can set this cookie myself...
You are not validating the cookie data in any way, and if the data in the cookie is used for authentication, it should contain a temporary key and not the exact username or password, as cookie is easy to steal. Better use sessions (in that case the cookie will hold only the session id, which is valid only while the session is valid... use the session_regenerate_id function to prevent the session fixation attach)
Thanks, i'll take a look at the session functions now.
Post Reply