Page 1 of 1

Cookie Security

Posted: Wed Apr 26, 2006 5:54 pm
by s.dot
Cookies names can be set as array names and will be available to your PHP scripts as arrays but separate cookies are stored on the users system. Consider explode() to set one cookie with multiple names and values. It is not recommended to use serialize() for this purpose, because it can result in security holes.
I have been using serialize() for a while. How can this result in security holes if values are verified before being used in scripts?

Posted: Fri Apr 28, 2006 1:53 am
by s.dot
Hmm, I'll guess by the amount of views this topic has, and no replies, that it must not be a very big security issue? :P

Posted: Fri Apr 28, 2006 5:20 am
by dbevfat
Yes, it would appear so. :D

I can't think of any situation where using serialize would be more harmul than not. I mean, a cookie is on the client side and the user can always change it's contents, be it serialized or not. No matter in what format the content is stored, the user can change the actual content to whatever he-she wants (except if it's encrypted).

But, just because I don't know any security issues, that doesn't mean there is none. Claiming that may be ignorant and arrogant. :)

Posted: Fri Apr 28, 2006 5:35 am
by Weirdan
1. there were bugs in unserialize which could lead to arbitrary code execution
2. consider PHP5 with __autoload function defined. If an object happens to be in serialized string, server would first use __autoload to include a class definition (where className is controlled by the user) and then invoke __wakeup method on the restored object. While it's not arbitrary code execution on it's own, isn't it too much control granted to untrusted party?

Posted: Fri Apr 28, 2006 5:39 am
by Maugrim_The_Reaper
Moral of the topic - Cookie data is user data; don't trust it. If possible shift as much of the data to the session array as is reasonable.

Posted: Fri Apr 28, 2006 11:07 pm
by s.dot
Currently I am only using cookies for convenience.

Remembering a username (for easy login)
And search form preferences