Can cookie vars be edited by user?

Hi guys,

Can a $COOKIE[] var be edited by user?
If it can, I have quite a security issue to deal with.

Thanks,
-Tony

 

YES it is possible.

 

Okay. I have some security holes to patch.

 

Yep, with most modern browsers that support plugins. There are plenty of plugins that can change the content of cookies so its a risk!

 

If that's the case, can session vars be edited as well?

 

yes and no.

Sessions are basically cookies with the difference that the data is stored on the server. In order to link the user to a session a session cookie is placed on the users computer with one long string in it. This string is a random generated string and is called session id. With this session id the server knows what data has been stored in the session.

Now a user can edit the session id in the session cookie but if there is no session with that session id on the server no data will be loaded from the session.

You would have to be extremely lucky to change the session id to someone elses session id. But if you can do it then you can steal a session and get access to the other users account etc. There are other things you can do to stop this like store the ip or the browser and if something changes simply delete the whole session.

Also sessions time out after a while but you have a little bit control over that if you search a bit.

hope this helped.

 

thanks.
good answer.

 

Really good browsers like Opera even have it built in. Right click, "edit site preferences", "cookies"

Along with all the other built in per-site preferences like plugin blocking, script blocking, user.css, pretending to be other browsers when some idiot wrote broken browser sniffing scripts...

 

You can use an encryption schema to secure the data in the cookie from being reasonably manipulated by the user. Using AES or rijndael cipher would effectively prevent manipulation and wouldn't cause an enormous amount of overhead to an average request. However, this is pretty excessive overkill for the purpose of using a cookie.

I'd be open to hearing the argument in preventing a user from seeing or manipulating cookie data, but it's not meant for storage of sensitive information so don't use it for that purpose.

If you can give some more info on what your trying to accomplish and what your concerns are, I think the members could give some input on the best way to accomplish it.

 

it's possible by a cookie editor or any other editor

For example you can edit cookie in Friefox by cookie editor addon or by open which comes with inbuilt cookie editor