Programming Forums
Page 1 of 2 1 2 >
Show 40 post(s) from this thread on one page

Programming Forums (http://www.programmingforums.org/forumindex.php)
-   PHP (http://www.programmingforums.org/forum29.html)
-   -   Secure Cookies? (http://www.programmingforums.org/showthread.php?t=880)

Lance Oct 16th, 2004 6:14 PM
I'm coding a blog for my site, that will be multi-user. And as I was pondering on using cookies to save the login information, I realized someone can falsify the HTTP headers. So that leads me to the question...

Is there a secure method of using cookies to maintain login? Any help would be great. :D

kurifu Oct 20th, 2004 2:45 AM
In short the answer is an astounding no.... well maybe it is not astounding, but you get the point.

The problem here is that cookie data is VERY easily intercepted, and since it is stored on the client end, it is easy to modify, falsify, and so forth. Of course there are a few things you could use to get around this.

First thing you should consider is storing the data in the user's session. Of course you will need to take measures to prevent session fixation if you want to get really secure, but this is relatively easy, well easier to do... just watch the user's IP address.

If you insist on using cookie there are a few ways you can maintain data integrity. One commonly use method is to calculate a hash of the data in the cookie and store that hash in the cookie as well (which can be modified by someone who knows what they are doing, and figures out how to compute the hash). Additionaly you can store the hash in the session data, this is much more difficult for the user to modify. They would only be able to flasify information if they did a session fixation attack.

If you wanted to get real secure and still use cookies (ironic eh?) you could generate a PGP or similar keypair and encrypt and sign the data going into the cookie to yourself. When receiving the data back you decrypt and verify the data. If you only sign the data you can even throw away the private key (which is likely more secure, so long as you do not mind the client being able to see what data was signed). This also bypasses your worries on session fixation, it simply will not happen. Just append the user's ip into the data you sign and place in the cookie, this will further prevent falsification.

Ade Oct 20th, 2004 6:11 AM
You are a god.

Berto Oct 20th, 2004 7:32 AM
to keep my sites secure i use sesid which i store both in a session variable and in the database and compare those values each time a user goes to a page, md5'd the password, so inherriently its hard to hack the password, (can be database intensive) never thought about using ip address, as lots of people could be on the same address :/ hmm but you coulld do it in teh same way as the sesid, oh and also pass sesid variables around within the links.

Lance Oct 20th, 2004 10:59 PM
Well, I was considering using either md5()'ed password cookies or sessions. Too bad my webhost is having problems and is now out of service--my site AND email server are down. I've resorted to using Gmail now. :/ I guess coding my blog is out of the question.

Thanks for your help anyways. I'll keep that in mind and Google for some more details about sessions.

/me returns to sulking over his lost server...

kurifu Oct 20th, 2004 11:09 PM
Well if you are looking for a replacement hosting service, here is a good start:

http://www.crd-hosting.com

Berto Oct 21st, 2004 3:33 AM
http://www.icdsoft.com

never had a problem and they have a 1 hour customer supprt which actually works even when you are not a customer :)

Lance Oct 23rd, 2004 11:38 PM
Well, see... I had proper hosting. And it was within my price range: FREE. Since I knew the admin personally for the past 7 years, he offered me free hosting.

About 10GB space, unlimited SQL, 2TB bandwidth (good enough for my site)... for free.

That's why I chose to use his hosting. But now that's GONE, and a poor college student like me cannot afford any real hosting. And I know that was a shameless plug for CDR since I see it in your signature... I assume your the owner or an employee. :P But yea, hosting doesn't come cheap, and I cannot afford any hosting. Hell, I can't even afford broadband!

But thanks for your help. I'm probably just going to do a small hostinh job from my own server at home once I get a nice dedicated line. It'll be slow, cheap, and limited by my own bandwidth usage... but hey! I'll have full control and won't pay a dime!

BlazingWolf Oct 24th, 2004 12:20 AM
If you can get the mycrpt library installed on your host you can just encrypt the data you store in the cookie, and only someone with a heck of a lot of time on there hands will try to break 64-bit or 128-bit encrytion.

If you decide to do it that way I'll post up an example of how to use it.I would do it know but I don't know where the file is and don't want to waste my time. :P

tempest Oct 27th, 2004 10:21 AM
If you want absolute security, MySQL logins.


All times are GMT -5. The time now is 5:12 AM.
Page 1 of 2 1 2 >
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC