CODEWITHSUNDEEP
phpcookies
Mohammed Alhanafi
Mohammed Alhanafi

Reputation: 886

How can i secure cookie in php?

today i finished programming my project. and now i'm trying to find somebugs in my codes. i realize that when i want to change my info (like users) i can edit my user id from tamper data (ad-don to change header data) and i can change my level (from user to admin) via tamper date :/ this code i use for setting cookie 

setcookie('level',$login['level'],time()+120*120*48);
setcookie('username',$login['username'],time()+120*120*48);
setcookie('uid',$login['uid'],time()+120*120*48);

i use $_COOKIE['uid'] when users try to add comment its come on database just a number (you know that)

and i want to give you this code i use it to start session and start in it every file.

include("cookiesset.php");
ob_start();
session_start();
if($_COOKIE['level'] != 1){
...
}else{
...
}

and this is cookie i have in header 

uid=1; level=1; username=asd; PHPSESSID=ldr48bua487pjmtvohp53tr662; LoginForm=r9imqbnj2csfrmsu50i9kn0q54

ok how i can fix it ? i want to secure my website.

if there is no solution i want to ask.

Upvotes: 1

Views: 9714

Answers (1)

Mohammed Alhanafi
Mohammed Alhanafi

Reputation: 886

Thanks guys about everything you gave it to me, i try to create a new column have a users key but its want more time to create and editing all files in project, i try to learn SESSION and how its work i found this http://www.w3schools.com/php/php_sessions.asp Its so easy to learn,(in old, i think its not easy)

now i use 

$_SESSION["level"] = $login['level'];
$_SESSION["username"] = $login['username'];
$_SESSION["uid"] = $login['uid'];

after i checked username and password from database

and this in files

ob_start();
session_start();
if($_SESSION['level'] != 1){
...
}else{
...
}

from tamper data and another tools, 

PHPSESSID=d4i4itbp8p7ri4juvqd690t9a5

just i see PHPSESSID.

Thanks for all of you, everything is great now and big thanks for @Asfo and @miken32 to give me a good advice.

i hope if there is anything wrong in my codes you edit it and helping me :)

EDIT

Thanks for everything but i realise when i delete (d4i4itbp8p7ri4juvqd690t9a5) from PHPSESSID i will have "file path disclosure" bug, i fixed it by put error_reporting(0); after session_start(); and everything will be alright for who want his script without bugs ;)

error_reporting(0);
ob_start();
session_start();
if($_SESSION['level'] != 1){
...
}else{
...
}

Upvotes: 1

Related Questions