Cookie Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Cookie Security

Post by s.dot »

Cookies names can be set as array names and will be available to your PHP scripts as arrays but separate cookies are stored on the users system. Consider explode() to set one cookie with multiple names and values. It is not recommended to use serialize() for this purpose, because it can result in security holes.
I have been using serialize() for a while. How can this result in security holes if values are verified before being used in scripts?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Hmm, I'll guess by the amount of views this topic has, and no replies, that it must not be a very big security issue? :P
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
dbevfat
Forum Contributor
Posts: 126
Joined: Tue Jun 28, 2005 2:47 pm
Location: Ljubljana, Slovenia

Post by dbevfat »

Yes, it would appear so. :D

I can't think of any situation where using serialize would be more harmul than not. I mean, a cookie is on the client side and the user can always change it's contents, be it serialized or not. No matter in what format the content is stored, the user can change the actual content to whatever he-she wants (except if it's encrypted).

But, just because I don't know any security issues, that doesn't mean there is none. Claiming that may be ignorant and arrogant. :)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

1. there were bugs in unserialize which could lead to arbitrary code execution
2. consider PHP5 with __autoload function defined. If an object happens to be in serialized string, server would first use __autoload to include a class definition (where className is controlled by the user) and then invoke __wakeup method on the restored object. While it's not arbitrary code execution on it's own, isn't it too much control granted to untrusted party?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Moral of the topic - Cookie data is user data; don't trust it. If possible shift as much of the data to the session array as is reasonable.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Currently I am only using cookies for convenience.

Remembering a username (for easy login)
And search form preferences
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Post Reply