CODEWITHSUNDEEP
phpsecuritycookies
Matrix001
Matrix001

Reputation: 1272

Setting a cookie in php and site security

I am building a forum and I am not sure about the best practices of setting up a cookie.

Here is the cookie that I build as user registers the site:

       setCookie($name,$ip,time()+300000,"/");

instead of this: time()+300000. I want the cookie last forever, but I am not sure how to do it.

Also, I have a question regarding on security. how do I check that the cookie wasnt tampered or set by a hacker?

Another question, how do I check if the user allows cookies on his browser?

UPDATE:

I put this as soon as login validation is valid: setCookie($name,$ip,time()+60*60*24*365,"/");

UPDATE:

        if(!isset($_COOKIE['$name'])
        {
            $salt="[email protected]";
            $hash = SHA2(salt + $_POST['pass']);
            setCookie($name,$hash,time()+60*60*24*365*50,"/");
        }

Upvotes: 2

Views: 1478

Answers (4)

Tokk
Tokk

Reputation: 4502

You can not set a cookie for ever, but you can set it for a very long time and refresh it anytime a user is visiting your site.

To the second part: save the cookie values additionally in your database, and if they match you set it, if not someone tried to manipulate something.

Another option would be that you only store an identifier in the cookie and the values in your database. But be careful and make sure noone can guess those identifiers.

Btw: I don't think the user's IP has to be stored in his cookie for ever, beacause most people would need a new everlasting cookie every day :-D

UPDATE:

It is not good to use the users ip for identification, it changes every day. Do it like this: save a salt for every user in the database. Generate it randomly like "jfdklsjfdsohfdsughfdjkhg". If user logs in save cookie "LoggedIn" with the Value md5($username.$salt) additional to a cookie saving the users id. If You read the cookie you only have to compare the hash with md5(databaseName.databaseHash). If it is equal, the cookie is good. You have to be sure the salt is well protected in this system (only your system should know it).

if(isset($_COOKIE["LoggedIn"))
{
    $userid = $_COOKIE["UserId"] // Second cookie, not hashed to know the user's id
    //get Values from Database here => $database_name, $database_salt
    if(md5($database_name.$database_salt) == $_COOKIE["LoggedIn"])
    {
         //OK
    }
}

Upvotes: 1

Dennis
Dennis

Reputation: 14477

For duration, just use a big enough number instead of 300000.

time() + 60 * 60 * 24 * 366 * 15 gives you 15 years.

To prevent tampering, use a secure hash function (like SHA-2), store a secret salt (a 256-bit random string, for example) on your server, compute hash = SHA2(salt + data) and set a cookie that holds hash.

Now, when you read the cookies, all you have to do is verify that hash has the correct value.

Upvotes: 2

NeoStar
NeoStar

Reputation: 35

You cannot set a cookie forever. You can set a long expiry for a cookie. Please save data in your db or session and try to match them. It is recommended to use session than using cookie, session data cannot be modified.

Upvotes: 0

gustavotkg
gustavotkg

Reputation: 4399

Cookies are this way. They can be changed by anyone. You can use Sessions to be more secure, or check cookies values every time you use them to make sure they did not change.

You also can encrypt them, but cookies has characters limits and encrypting will make it bigger, so it's not a great sollution.

About the "ever lasting cookies", you can set like 50 years to expire.

Upvotes: 1

Related Questions