Pontins - Homeowner Loans - Loan - Online TV - Payday Loan
PDA

View Full Version : cookie hacking

Cinta April
Apr 27th 2008, 4:04 pm
hi i am starting a website where i store the user's email in cookies. When i open the cookie file in temporary files i can see the exact email. will this open any holes for hack or should i encrypt the cookie value? my experience is that when the cookie file is tampered with the file is disfunctioned and we have to sign in again.
CPURules
Apr 27th 2008, 4:12 pm
The main chance for a hole wouldn't be in the cookies; if you have any vulnerabilities in your website, a hacker could use it to get the e-mail.

If you think your site could be penetrated, then encrypt the cookies. If you have even the slightest doubt, encrypt them. Just make sure you can still get the original email address somehow, if it is needed.
powerspike
Apr 27th 2008, 9:14 pm
Another option for you, would be to store some type of random id in the cookies, and make a database table, with all the information for that cookie id in it, that way at most, they can get an id, not information from your users.
rohan_shenoy
Apr 28th 2008, 3:11 am
Another option for you, would be to store some type of random id in the cookies, and make a database table, with all the information for that cookie id in it, that way at most, they can get an id, not information from your users.
Lets say I am the visitor to his website. So I have a ID stored in the cookie.What if I edit this cookie and put some other ID in it? Wouldn't I be able to get the email address of another member?

Instead of using only 1 cookie, store 2 cookies that always pair with each other. this way you will be safe from people manipulating cookies on their PC.
xrvel
Apr 28th 2008, 4:08 am
Maybe you can store : md5 hash of your cookie(s) (e-mail, user id, etc) with the user's IP. and store that hash in user's cookie


// Set everything
$ip = $_SERVER['REMOTE_ADDR'];
$email = 'some@thing.com';
$userid = 5;
$hash = md5('yourstring' . $ip . $email . $userid);

setcookie('email', $email, time() + 3600);
setcookie('userid', $userid, time() + 3600);
setcookie('hash', $hash, time() + 3600);

// To check if the cookie valid
// (User's IP is not modified)

$ip = $_SERVER['REMOTE_ADDR'];
$email = $_COOKIE['email'];
$userid = $_COOKIE['userid'];
$hash_c = $_COOKIE['hash'];
$hash = md5('yourstring' . $ip . $email . $userid);

if ($hash != $hash_c) {
// You are a bad guy
} else {
// Looks good
}