#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    81
    Rep Power
    14

    Problem with Cookie Hijacking Test


    I store my userid in the cookie. Let's say I login with userid=1. I then open up the cookie file and change userid1 to userid2. If I continue browsing it still uses the original userid 1. If I close and reopen the browser and look at the cookie, the userid section has been removed and I need to relogon to set the cookie, although other cookie variables still exist.

    Why is it that I can't change the userid in the cookie? Does it have something to do with that long number after each cookie variable?

    Looking for any ideas,
    yoyo
  2. #2
  3. Always Spell Chek
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2002
    Location
    NJ, USA
    Posts
    338
    Rep Power
    13
    Please post the code that you use to set the cookie, update the cookie, and/or destroy the cookie. Sounds like you are not using cookie variables correctly.
    Programming is easy. It's the thinking that's hard.

    Search the forums before you ask your question.
    PHP | MySQL websites. Visit them, read them, cherish them.
    Read the posting rules, before you post.
    See if your question has been answered already.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    81
    Rep Power
    14
    To create cookie:

    PHP Code:
    if ($_POST['submit'])
    {
        
    $user_id check_pass($_POST['uname'], $_POST['pass']);

        if (isset(
    $user_id))
        {
            
    $message 'You are now logged in.';

            if (isset(
    $_POST['rem_me']))
            {
                
    setcookie ('user_id'$user_idtime()+2592000'/'); //expire in 30 days
            
    }
            else
            {
                
    setcookie ('user_id'$user_id); //expire upon close of browser
            
    }
            
    $_COOKIE['user_id'] = $user_id//I set this only so it gets set for initial page loading.
        
    }
        else
        {
            
    $message 'Invalid login. Please try again.';
        }

    To delete cookie:

    PHP Code:
    if ($_GET['action'] == 'logoff')
    {
        
    $message 'You have logged out.';
        
    setcookie ('user_id'''time()-3600'/');
        unset(
    $_COOKIE['user_id']);

    I never update the userid cookie. Everything is working fine otherwise. Maybe this is a good thing and I don't need to add more security as far as cookie stuff is concerned?
  6. #4
  7. Always Spell Chek
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2002
    Location
    NJ, USA
    Posts
    338
    Rep Power
    13
    Just a few suggestions. First, I dont see any code that resembles what you where talking about, with changing the userid in the cookie. That should be a simple call, just use setcookie() just like you set the cookie, just use the new userid this time.

    PHP Code:
    // kill old user id.
    setcookie ('user_id'''time()-3600'/');

    // set new userid.
    setcookie ('user_id'$user_idtime()+2592000'/'); 
    As for login/logout problems. I would check to see if a cookie is there and then destroy it before creating a new one. This will just ensure that the cookie is fresh. You should also destroy all cookies that you may have stored for use while the user is logged in. Use the same setcookie() idea as mentioned above to expire each one.

    PHP Code:
    if ($_POST['submit'])
     {
      
    $user_id check_pass($_POST['uname'], $_POST['pass']);

       if (isset(
    $user_id))
        {
         
    $message 'You are now logged in.';

          if (isset(
    $_POST['rem_me']))
           {
            if (isset(
    $_COOKIE['user_id']))
             {
              
    setcookie ('user_id'''time()-3600'/');
              
    setcookie ('user_id'$user_idtime()+2592000'/');
             }
            else
             {
              
    setcookie ('user_id'$user_idtime()+2592000'/'); //expire in 30 days
             
    }
           }
          else
           {
            
    setcookie ('user_id''''''/');  //expire upon close of browser
           
    }
        
    $_COOKIE['user_id'] = $user_id//I set this only so it gets set for initial page loading.
       
    }
      else
       {
        
    $message 'Invalid login. Please try again.';
       }
     } 
    As for destroying the cookie, I don't think you need to unset() the cookie variable after you have expired the cookie. I guess you can, but I still dont think there is a huge need for it.

    I personally try to expire and then create a new cookie if I need to refresh the info in it. I would not reccommend just trying to edit the value of the cookie.
    Last edited by maytricks; September 24th, 2002 at 04:11 PM.
    Programming is easy. It's the thinking that's hard.

    Search the forums before you ask your question.
    PHP | MySQL websites. Visit them, read them, cherish them.
    Read the posting rules, before you post.
    See if your question has been answered already.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    81
    Rep Power
    14
    As far as changing the userid in the cookie, it not anywhere in the code, I'm actually physically opening up the cookie txt file and changing the userid in there, to see if I can "hijack" a different user's id. I haven't had any success, which is a good thing. So I guess maybe everything is fine then.
  10. #6
  11. No Profile Picture
    Senior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2002
    Posts
    8
    Rep Power
    0
    the value portion of the cookie will automatically be urlencoded when you send the cookie, and when it is received, it is automatically decoded and assigned to a variable by the same name as the cookie name.

    RTFM
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    81
    Rep Power
    14
    What does that have anything to do with the problem? In this case the value is '1'. urlencoding that value will not change the value at all.

    If I physically change userid1 to userid2 in the cookie txt file, why is it not taking effect when I reopen the browser? In fact, the entire userid2 section is removed if I check the cookie txt file after reopeing the browser.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2000
    Posts
    452
    Rep Power
    15
    it's possible the browser will try to detect manual modification of the cookie file and throw away your changes.

    Even if it does, though, i wouldnt rely on it for security.
  16. #9
  17. Always Spell Chek
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2002
    Location
    NJ, USA
    Posts
    338
    Rep Power
    13
    I would rely on a combination of sessions and cookies for security.
    Programming is easy. It's the thinking that's hard.

    Search the forums before you ask your question.
    PHP | MySQL websites. Visit them, read them, cherish them.
    Read the posting rules, before you post.
    See if your question has been answered already.

IMN logo majestic logo threadwatch logo seochat tools logo