I have to develope a www application which should not require user login, but still has to have some "per user" features.
I know that using cookies is unsecure, but I want to simplify the parsing and validation of the user side data. I wrote a set of functions for manipulating cookie infermation:
Code: Select all
$seed = "kjHGjhGjhGChgfKJ5jhg687gFjhg67g";
/* ----------- SECURE COOKIES ----------------- */
function getSecCInfo($name)
{
global $seed;
if (!empty($_COOKIE[$name]) && !empty($_COOKIE[$name."_HASH"]))
{
$pref = unserialize(base64_decode($_COOKIE[$name]));
if (base64_decode($_COOKIE[$name."_HASH"]) != md5($_COOKIE[$name].$seed) )
{
return null;
}
return $pref;
}
return null;
}
function setSecCInfo($pref, $name, $months = 1)
{
global $seed;
$ser = base64_encode(serialize($pref));
setcookie($name, $ser, time() + 3600*24*30*$months);
setcookie($name."_HASH", base64_encode(md5($ser.$seed)), time() + 3600*24*30*$months);
}
function delSecCInfo($name)
{
setcookie($name, '', time() - 3600);
setcookie($name."_HASH", '', time() - 3600);
}
My questions are:
1. Is it secure enough?
2. Do I have to use more powerfull algorithms than md5?
3. Any other ideas for this issue?
Regards, Vladimir Mirchev.