FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Keeping Secure with Cookies





polly-gone
I have a quick question for you all.

How can I keep my website secure with cookies. I mean, if I wanted to, if someone was on this computer before me on Firefox and I went on and copied all the cookie information using the Web Developer toolbar, I could just enter that info in later and I am into their account of whatever.

What can I do?

Thanks,
-Nick Very Happy Very Happy Very Happy
rvec
encrypt it
add the ip of the pc to the cookie to make it only usable on one pc
save a copy of the cookie in your database and check if it is the same as you gave
always let users re-authenticate if they do something important like changing the password or email

I know it's all just to make the hacking a bit harder, but it's still possible. Sessions are more secure and should be used when possible and always when you need more security.
DjMilez
You should try encryption.

Also, rvec, ip's aren't the best idea.... ip's change.
rvec
then let them login again, or use some setting in their config. One ip makes it a lot more secure, because the hacker won't be able to use the same cookie on another pc.

Unless he knows you check the ip, and sends the wrong ip with his headers. So if you encrypt it and use strange keys (not nick, pass and ip but better 7jdK or 1 or other non-explaining keys) it should make it a lot harder.
polly-gone
Well, but I could still view the cookie, and then manually set it again user Firefox's Web Developer Toolbar.

Is there any way to stop that from happening?

Thanks,
Nick
polly-gone
Wait... so do you think I should use session cookies only? This is for my clients' dashboard where they will be able to access the PayPal page to make payments and view their business account information.

-Nick Smile Smile Smile
rvec
if the info is sensitive and you show stuff like full bank account or credit card numbers (and not something like *********132) the I'd really suggest using as much security as you can get.
polly-gone
No. I don't deal with bank accounts and such, and I only accept credit through PayPal, but this basically controls my clients whole website.

-Nick Very Happy Very Happy Very Happy
rvec
well the security you need depends a lot on the stuff you give access to. You have to remember a hacker needs access to a user-pc to copy the cookie (or javascript on your domain).

And if a user keeps his browser open and walks a way it's just as vulnerable with sessions. And if you put the sessionid in the url another user could also copy that sessionid if the user doesn't log out.

I think the best thing would be to use encrypted cookies if you want your users to stay logged in longer, use sessions for every time a user visits the site, don't let the ip of the user change within a session, change the sessionid every time before you change the password or access level of a user and ask the password every time you show or edit important information.

That should cover most security risks.
Related topics
FTP program
avoid super cookies
New Netscape sizzles with security
recipie for chocolate chip cookies
Introduction To Cookies :
How To : Secure Your PHP Website
Base64 Encoding/Decoding
Sessions
PHP: Sessions and Cookies
Spyware Doctor 3.2
PhpBB Login Problem Please help me
Relatively Secure Session Management System for PHP
FRIH$ 250 for answers - secure administr of dynamic website
Secure navigation on the internet
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.