Re: [PHP] Information on Cookies
Don't use cookies, use sessions. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Information on Cookies
On Sun, 2008-10-19 at 19:12 -0500, Micah Gersten wrote: Don't use cookies, use sessions. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. Thanks. Yeah, sessions are the way to go with this. They are (more often than not) just special cookies themselves, and the only bit of information stored is the session id in the cookie, and the rest is stored in server memory (or sometimes a text file on the server.) The chances of someone forging this is much less, and if you use sessions with https then this is reduced much more, but at the end of the day, nothing is foolproof... Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Information on Cookies
On 15 Oct 2008, at 15:23, Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering... http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Information on Cookies
Can you explain to me the benefits of hashing/encrypting/md5'ing cookie values? I don't see how it'd stop hackers from changing cookie values? 2008/10/15 Stut [EMAIL PROTECTED] On 15 Oct 2008, at 15:23, Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering... http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -Stut -- http://stut.net/
Re: [PHP] Information on Cookies
On 15 Oct 2008 at 16:04, Ben Stones wrote: Can you explain to me the benefits of hashing/encrypting/md5'ing cookie values? I don't see how it'd stop hackers from changing cookie values? Hi, You would keep a copy of the hash on the server and check that against the submitted value. If they are different then the cookie has been modified. Regards Ian -- 2008/10/15 Stut [EMAIL PROTECTED] On 15 Oct 2008, at 15:23, Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering... http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Information on Cookies
On 15 Oct 2008, at 16:04, Ben Stones wrote: Can you explain to me the benefits of hashing/encrypting/md5'ing cookie values? I don't see how it'd stop hackers from changing cookie values? You encrypt stuff with a string that you keep secret. That string is needed to decrypt the string. When hashing you would add a secret string to the value you're hashing before calculating the hash. When validating the content of the cookie you would add the secret string and then compare the calculated hash. In both cases the bad guys would need to know the secret string in order to create a valid cookie value so as long as you're not stupid enough to share it it's pretty secure. Aside from the extra CPU required for encryption the only difference between the two is that with hashing the value you're storing is stored in the cookie in plain text whereas an encrypted value is, erm, encrypted. I suggest you Google encryption and hashing as these are pretty basic concepts. -Stut 2008/10/15 Stut [EMAIL PROTECTED] On 15 Oct 2008, at 15:23, Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering... http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Information on Cookies
Makes perfect sense. I have included this security in my script - thanks to both of you for your help! Cheers! 2008/10/15 Stut [EMAIL PROTECTED] On 15 Oct 2008, at 16:04, Ben Stones wrote: Can you explain to me the benefits of hashing/encrypting/md5'ing cookie values? I don't see how it'd stop hackers from changing cookie values? You encrypt stuff with a string that you keep secret. That string is needed to decrypt the string. When hashing you would add a secret string to the value you're hashing before calculating the hash. When validating the content of the cookie you would add the secret string and then compare the calculated hash. In both cases the bad guys would need to know the secret string in order to create a valid cookie value so as long as you're not stupid enough to share it it's pretty secure. Aside from the extra CPU required for encryption the only difference between the two is that with hashing the value you're storing is stored in the cookie in plain text whereas an encrypted value is, erm, encrypted. I suggest you Google encryption and hashing as these are pretty basic concepts. -Stut 2008/10/15 Stut [EMAIL PROTECTED] On 15 Oct 2008, at 15:23, Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering... http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -- http://stut.net/
Re: [PHP] Information on Cookies
On 15 Oct 2008, at 18:21, Yeti wrote: You encrypt stuff with a string that you keep secret. That string is needed to decrypt the string. I recommend you change that string once in a while. That's never a bad idea with any secret token, but bear in mind that when you do all existing cookies will instantly become invalid. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Information on Cookies
On Oct 15, 2008, at 1:21 PM, Yeti wrote: You encrypt stuff with a string that you keep secret. That string is needed to decrypt the string. I recommend you change that string once in a while. Also, picking up a copy of: Essential PHP Security by Chris Shiflett # ISBN-10: 059600656X # ISBN-13: 978-0596006563 might be worthwhile as well for more general information on security related issues. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Information on Cookies
You encrypt stuff with a string that you keep secret. That string is needed to decrypt the string. I recommend you change that string once in a while. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php