473,655 Members | 3,063 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

is it safe to store a cookie user id as a login for my site

hi

i have a php site which allows users to save a cookie on their
computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?

thanks

marc

Feb 16 '07 #1
7 4264
"monomaniac 21" wrote
hi
G'day.
i have a php site which allows users to save a cookie on their
computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?
How could a "malicious user" gain access to a cookie stored somewhere in
your your users computer, unless they break into your users house? My
browser regularly asks me if I wish it to "remember" my userid/password
detailss for next time. Often I tell it to do so.

Then again your user may be just silly enough to store your cookie on the
public libraries computer. Their problem then IMHO.
Feb 16 '07 #2
monomaniac21 schrieb:
hi

i have a php site which allows users to save a cookie on their
computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?

thanks

marc
You could store one half of the user's password hash in the cookie. When
he come back, you compare it to the hash in the db. Works for me :-)
Feb 16 '07 #3
>
How could a "malicious user" gain access to a cookie stored somewhere in...
By malicious user i was referring to someone who seeks to gain access
to other people's accounts by first creating an account and storing a
cookie, then editing the cookie so that the website automatically logs
them in as someone else. How can this be prevented?
Feb 16 '07 #4
"monomaniac 21" wrote>
>>
How could a "malicious user" gain access to a cookie stored somewhere
in...

By malicious user i was referring to someone who seeks to gain access
to other people's accounts by first creating an account and storing a
cookie, then editing the cookie so that the website automatically logs
them in as someone else. How can this be prevented?
Er, you can't, or, perhaps, you don't need to.

I could, for instance:

a) Create an account and then hack the cookie so as to use some other
persons credentials to log in, after guessing their credentials.

b) Use your standard login form to log in using some other persons
credentials, after guessing their credentials.

Where is the problem?

On the other hand if you store stuff in your cookie that allows it to be
hacked then your design is flawed.
Feb 16 '07 #5
Mike Roetgers wrote:
monomaniac21 schrieb:
>hi

i have a php site which allows users to save a cookie on their
computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?

thanks

marc
You could store one half of the user's password hash in the cookie. When
he come back, you compare it to the hash in the db. Works for me :-)
Or, better yet, hash the password in the database a second time and
store that has in the cookie. When they do the cookie login compare the
cookie they send with the database password (after you've hashed it, of
course).

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Feb 16 '07 #6
>i have a php site which allows users to save a cookie on their
>computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?

How could a "malicious user" gain access to a cookie stored somewhere in
your your users computer, unless they break into your users house? My
Easy: your user LIVES WITH (or worse, sleeps with AND lives with)
the malicious user. Or his kids invite the malicious user (aka
neighbor kid) in. Not all users are nerds with no friends.
Sometimes warring siblings have to share a computer.

Laptops are easy to steal. Just listen to the news: how often is
a laptop with government classified information or sensitive financial
information on it reported missing? I suspect it's especially easy
to steal laptops at airports. My Palm also contains a web browser
and it's not that hard to lose it.
>browser regularly asks me if I wish it to "remember" my userid/password
detailss for next time. Often I tell it to do so.
>Then again your user may be just silly enough to store your cookie on the
public libraries computer. Their problem then IMHO.
Feb 17 '07 #7
>How could a "malicious user" gain access to a cookie stored somewhere in...

Easily, if they sleep with the user.
>By malicious user i was referring to someone who seeks to gain access
to other people's accounts by first creating an account and storing a
cookie, then editing the cookie so that the website automatically logs
them in as someone else. How can this be prevented?
Any user can trivially set any darn cookie they want to any value
they want on their own computer. The procedure is simple for most
browsers: (a) shut down the browser, (b) edit the file the cookies
are kept in (usually it's a text file and the format is pretty
obvious), and (c) start up the browser. I've heard rumors about a
browser that lets you do it by clicking on "set cookie" and following
the prompts. It's also real easy for PHP to use CURL to pull a copy
of a web page from any other web site with any set of cookies you want.

If you were thinking of setting a cookie containing the user name,
but not the password, assuming the cookie is set that way only if
the password given is correct, your security design is incredibly
stupid (It ranks right up there with the sign on the bank vault,
also advertised on national television, asking people to not steal
from it because it's unlocked and the guard is blind). On the other
hand, if the cookie contains the user name and password in plain
text, you're making it easy for anyone to look at the stored cookie
and replicate it on their own computer.

An approach that might work is to put in the cookie the following pieces:

1. the user name
2. a time stamp
3. a secure cryptographic hash of (a) the username, (b) the time
stamp, and (c) a secret string held by the site.

If a user comes back, validate the cookie:
1. Check the hash. The hash of the username from the cookie,
the time stamp from the cookie, and the secret string
(NOT in the cookie) should match the hash in the cookie.
2. Check the time stamp. If the cookie is too old, it's stale,
so don't let them log in.
3. Check the user name. It had better correspond to a user
that exists.

If the bad guy takes an existing cookie and tries to edit it to refer
to a different user, the hash won't match. If the bad guy steals a copy
of a really old cookie (say, from a traded-in hard disk), it will fail
the time stamp check.

Often, you'd re-write the cookie with a new time stamp every hit, so as
long as they keep clicking, they'll stay logged in.

How long is "too old"? It needs to be long than you expect users to go
between logins. It should be shorter to protect against stolen cookies.

Feb 17 '07 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
1524
Best way to secure cookie session
by: Shabam | last post by:
I'm developing an application and want to have the "remember me" feature, so that users don't have to log back in again in the next visit. The problem here is, what happens if the user's cookie is stolen? Or, what prevents someone from figuring out the algorithm to the cookie session string? I've thought of using a random string (stored in the database) that's written to the user's cookie once he's logged in. Since it's random there...
.NET Framework
3
1545
Suddenly, web folder doesn't send cookie back, any idea?
by: davidw | last post by:
Hi, I have my webdav code, I am using cookie to verify user, so user login to our website first, like http://site, then they can open link http://site/webfiles and check "open as web folder", in my code, I will check cookie under http://site and control the user's permission. It worked fine, but recently, I found when user open http://site/webfiles from XP, there is no cookie return even the cookie is there. And the same action under...
.NET Framework
3
4738
Forms authentication - credential store
by: Martin | last post by:
Dear fellow ASP.NET programmer, I stared using forms authentication and temporarily used a <credentials> tag in web.config. After I got it working I realized this wasn't really practical. I cannot write to web.config so I cannot dynamically update the credentials while the site is up. Since the FormsAuthentication.Authenticate() method's documentations claims the following: "Attempts to validate the credentials against those contained...
ASP.NET
0
934
cookie value being garbled.
by: Peter Row | last post by:
Hi, I have a legacy VB6 webclass app that has been directly ported to VB.NET. My .NET webclass infrastructure works in more or less the same way but is now specific to my app and not the generic like the original MS version. This is all implemented in 1 DLL using a series of HttpHandlers and HttpModules. Anyhow, I need to do manual authentication ticket handling, which in this case I use an MD5 hash for.
ASP.NET
4
5618
Forms Auth cookie vanishes immediately after login
by: 23s | last post by:
I had this problem in the past, after a server reformat it went away, and now after another server reformat it's back again - no clue what's doing it. Here's the flow: Website root is public, no SSL no forms auth. One of the subfolders in the public area is the root of a "protected" area; SSL is required from this subfolder on forward and a web.config in the subfolder specifies forms authentication. From the public area, I provide a...
ASP.NET
1
1694
Weird Cookie Behaviour
by: hecsan07 | last post by:
I am trying to perform site login using values from a cookie, but for some weird reason the cookie is being destroyed after the browser window is closed. I checked the browser settings for the cookies, and there is nothing there that terminates cookies uopn browser close. The following is a sample of the code I am runinng: To write the cookie: This code runs if the user is not logged on the site and the cookie does not exist.
ASP.NET
1
1278
Failure to write cookie for IE 6?
by: Jim | last post by:
Hi, I have an Asp.Net 1.1 site which uses basic forms authentication. This has been working fine, since way back in the 1.0 days. Twice in the last 2 months, a client has been unable to log in, once each on both her home machine and her work machine. She gets the login screen, then gets redirected there once again, continuously. There is no incorrect login message, and I see a DB entry for her successful login, so I know she is using a...
ASP.NET
4
1909
Handling sessions through cookies, is it safe?
by: romayankin | last post by:
I need to limit the session time for a particular user who is working on my site. I'd also like to extend the session time each time user performs some action (moves from one page to another). I've written the following code to accomplish this task /* Extending session */ if(isset($_COOKIE)) { setcookie ("username", $_POST, time()+3600); }
PHP
8
3367
Is it safe to store user_id in Session?
by: pim | last post by:
Dear All, What I was wondering is how safe it is to store user_id or username or anything like that in session. I usualy store a bunch of info in a session so I do not need to search the database all the time. However, is it easy to change a value after being logged in? For example: - A user logs in - Now set is: $_SESSION = 34;
PHP
0
8296
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8816
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8710
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
8497
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8598
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
6162
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
4150
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4299
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
1928
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us