The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> System Administration
> Antivirus Protection
|
Problem with Cookie Hijacking Test
Discuss Problem with Cookie Hijacking Test in the Antivirus Protection forum on Dev Shed. Problem with Cookie Hijacking Test Antivirus Protection forum discussing issues relating to antivirus programs, spyware, hijack protection, and personal firewalls for all operating systems. Keep your systems protected from hackers and other hazards.
|
|
 |
|
|
|
|

Dev Shed Forums Sponsor:
|
|
|

September 24th, 2002, 01:39 PM
|
|
Contributing User
|
|
Join Date: Jun 2001
Posts: 81
Time spent in forums: 6 h 26 m 21 sec
Reputation Power: 12
|
|
|
Problem with Cookie Hijacking Test
I store my userid in the cookie. Let's say I login with userid=1. I then open up the cookie file and change userid1 to userid2. If I continue browsing it still uses the original userid 1. If I close and reopen the browser and look at the cookie, the userid section has been removed and I need to relogon to set the cookie, although other cookie variables still exist.
Why is it that I can't change the userid in the cookie? Does it have something to do with that long number after each cookie variable?
Looking for any ideas,
yoyo
|

September 24th, 2002, 02:00 PM
|
 |
Always Spell Chek
|
|
Join Date: May 2002
Location: NJ, USA
Posts: 338
Time spent in forums: 58 m 27 sec
Reputation Power: 11
|
|
|
Please post the code that you use to set the cookie, update the cookie, and/or destroy the cookie. Sounds like you are not using cookie variables correctly.
__________________
Programming is easy. It's the thinking that's hard.
Search the forums before you ask your question.
PHP | MySQL websites. Visit them, read them, cherish them.
Read the posting rules, before you post.
See if your question has been answered already.
|

September 24th, 2002, 02:12 PM
|
|
Contributing User
|
|
Join Date: Jun 2001
Posts: 81
Time spent in forums: 6 h 26 m 21 sec
Reputation Power: 12
|
|
To create cookie:
PHP Code:
if ($_POST['submit'])
{
$user_id = check_pass($_POST['uname'], $_POST['pass']);
if (isset($user_id))
{
$message = 'You are now logged in.';
if (isset($_POST['rem_me']))
{
setcookie ('user_id', $user_id, time()+2592000, '/'); //expire in 30 days
}
else
{
setcookie ('user_id', $user_id); //expire upon close of browser
}
$_COOKIE['user_id'] = $user_id; //I set this only so it gets set for initial page loading.
}
else
{
$message = 'Invalid login. Please try again.';
}
}
To delete cookie:
PHP Code:
if ($_GET['action'] == 'logoff')
{
$message = 'You have logged out.';
setcookie ('user_id', '', time()-3600, '/');
unset($_COOKIE['user_id']);
}
I never update the userid cookie. Everything is working fine otherwise. Maybe this is a good thing and I don't need to add more security as far as cookie stuff is concerned?
|

September 24th, 2002, 03:07 PM
|
 |
Always Spell Chek
|
|
Join Date: May 2002
Location: NJ, USA
Posts: 338
Time spent in forums: 58 m 27 sec
Reputation Power: 11
|
|
Just a few suggestions. First, I dont see any code that resembles what you where talking about, with changing the userid in the cookie. That should be a simple call, just use setcookie() just like you set the cookie, just use the new userid this time.
PHP Code:
// kill old user id.
setcookie ('user_id', '', time()-3600, '/');
// set new userid.
setcookie ('user_id', $user_id, time()+2592000, '/');
As for login/logout problems. I would check to see if a cookie is there and then destroy it before creating a new one. This will just ensure that the cookie is fresh. You should also destroy all cookies that you may have stored for use while the user is logged in. Use the same setcookie() idea as mentioned above to expire each one.
PHP Code:
if ($_POST['submit'])
{
$user_id = check_pass($_POST['uname'], $_POST['pass']);
if (isset($user_id))
{
$message = 'You are now logged in.';
if (isset($_POST['rem_me']))
{
if (isset($_COOKIE['user_id']))
{
setcookie ('user_id', '', time()-3600, '/');
setcookie ('user_id', $user_id, time()+2592000, '/');
}
else
{
setcookie ('user_id', $user_id, time()+2592000, '/'); //expire in 30 days
}
}
else
{
setcookie ('user_id', '', '', '/'); //expire upon close of browser
}
$_COOKIE['user_id'] = $user_id; //I set this only so it gets set for initial page loading.
}
else
{
$message = 'Invalid login. Please try again.';
}
}
As for destroying the cookie, I don't think you need to unset() the cookie variable after you have expired the cookie. I guess you can, but I still dont think there is a huge need for it.
I personally try to expire and then create a new cookie if I need to refresh the info in it. I would not reccommend just trying to edit the value of the cookie.
Last edited by maytricks : September 24th, 2002 at 03:11 PM.
|

September 24th, 2002, 03:32 PM
|
|
Contributing User
|
|
Join Date: Jun 2001
Posts: 81
Time spent in forums: 6 h 26 m 21 sec
Reputation Power: 12
|
|
|
As far as changing the userid in the cookie, it not anywhere in the code, I'm actually physically opening up the cookie txt file and changing the userid in there, to see if I can "hijack" a different user's id. I haven't had any success, which is a good thing. So I guess maybe everything is fine then.
|

September 24th, 2002, 03:35 PM
|
|
Senior Member
|
|
Join Date: Jun 2002
Posts: 8
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
the value portion of the cookie will automatically be urlencoded when you send the cookie, and when it is received, it is automatically decoded and assigned to a variable by the same name as the cookie name.
RTFM 
|

September 24th, 2002, 05:21 PM
|
|
Contributing User
|
|
Join Date: Jun 2001
Posts: 81
Time spent in forums: 6 h 26 m 21 sec
Reputation Power: 12
|
|
|
What does that have anything to do with the problem? In this case the value is '1'. urlencoding that value will not change the value at all.
If I physically change userid1 to userid2 in the cookie txt file, why is it not taking effect when I reopen the browser? In fact, the entire userid2 section is removed if I check the cookie txt file after reopeing the browser.
|

September 24th, 2002, 06:02 PM
|
|
Contributing User
|
|
Join Date: Dec 2000
Posts: 452
Time spent in forums: 43 m 12 sec
Reputation Power: 13
|
|
|
it's possible the browser will try to detect manual modification of the cookie file and throw away your changes.
Even if it does, though, i wouldnt rely on it for security.
|

September 24th, 2002, 07:33 PM
|
 |
Always Spell Chek
|
|
Join Date: May 2002
Location: NJ, USA
Posts: 338
Time spent in forums: 58 m 27 sec
Reputation Power: 11
|
|
|
I would rely on a combination of sessions and cookies for security.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|