Problem with Cookie Hijacking Test

I store my userid in the cookie. Let's say I login with userid=1. I then open up the cookie file and change userid1 to userid2. If I continue browsing it still uses the original userid 1. If I close and reopen the browser and look at the cookie, the userid section has been removed and I need to relogon to set the cookie, although other cookie variables still exist.

Why is it that I can't change the userid in the cookie? Does it have something to do with that long number after each cookie variable?

Looking for any ideas,
yoyo

Please post the code that you use to set the cookie, update the cookie, and/or destroy the cookie. Sounds like you are not using cookie variables correctly.

To create cookie:



To delete cookie:



I never update the userid cookie. Everything is working fine otherwise. Maybe this is a good thing and I don't need to add more security as far as cookie stuff is concerned?

Just a few suggestions. First, I dont see any code that resembles what you where talking about, with changing the userid in the cookie. That should be a simple call, just use setcookie() just like you set the cookie, just use the new userid this time.



As for login/logout problems. I would check to see if a cookie is there and then destroy it before creating a new one. This will just ensure that the cookie is fresh. You should also destroy all cookies that you may have stored for use while the user is logged in. Use the same setcookie() idea as mentioned above to expire each one.



As for destroying the cookie, I don't think you need to unset() the cookie variable after you have expired the cookie. I guess you can, but I still dont think there is a huge need for it.

I personally try to expire and then create a new cookie if I need to refresh the info in it. I would not reccommend just trying to edit the value of the cookie.

As far as changing the userid in the cookie, it not anywhere in the code, I'm actually physically opening up the cookie txt file and changing the userid in there, to see if I can "hijack" a different user's id. I haven't had any success, which is a good thing. So I guess maybe everything is fine then.

the value portion of the cookie will automatically be urlencoded when you send the cookie, and when it is received, it is automatically decoded and assigned to a variable by the same name as the cookie name.

RTFM

What does that have anything to do with the problem? In this case the value is '1'. urlencoding that value will not change the value at all.

If I physically change userid1 to userid2 in the cookie txt file, why is it not taking effect when I reopen the browser? In fact, the entire userid2 section is removed if I check the cookie txt file after reopeing the browser.

it's possible the browser will try to detect manual modification of the cookie file and throw away your changes.

Even if it does, though, i wouldnt rely on it for security.

I would rely on a combination of sessions and cookies for security.