I suppose it depends. If the permission level was numbered 0-5, then it would be very insecure. but if you used the string DSALKDSANRT9373HFNG for level 0, it would take a lot of guessing to find out what level 1 would be. But if they know someone on level 1...

I use sessions for that kind of stuff, but I think you could simply encrypt the permission level to make it harder for somebody to play around with the value in the cookie.

Using sessions is safer in my opinion, storing the permission level as a session variable (I'm assuming there is a login and some kind of user database with permission level assigned to each user).

hope that helps

mavherick

>was numbered 0-5

Damn!

So, how do others do this?

Nick

>sessions

A session IS a cookie. If you're talking about PHP then the only time it's not a cookie is when they're disabled and it's passed through the url right?

Or am I missing your point? ;)

Nick

what sbout using serialize() [php.net] Nick?

Using sessions, the cookie value contains a unique identifier (if Iremember correctly, the information associated to that unique id is in a dir on your server called something like sessiondata).

So the only thing in your cookie would be a unique id and you use that to retrieve the info associated to it, like your permission level variable for example.

sorry, i guess i wasn't to clear.

mavherick

Hooraay!

Superb, thanks Jatar!

So, am I still best dropping the numbered perms or is that cool?

Thanks...

Nick

they are just fine, I use serialize to crunch multiple values into cookies or a single one so they can't mess about with it.

from php.net

Generates a storable representation of a value

then you unserialize [php.net] it to read it.

mavherick,

I get the point on the id thingy. That's just what I'm doing. The id is stored for 6mts but when a user logs in, the other stuff I need such as user name, email and perms level will be pulled and put into 1hr cookies.

I don't want folks to have to re-enter passwords everytime they want to edit/contribute...

Thanks for all your help ;)

Nick

Jatar,

Yeah, read that bit. Just checking, you know I'm not the brightest sometimes!

Cheers

Nick

just wondering, what's the permissions for Nick? Maybe for editing articles?

Jus' wondering what degree of paranoia we are operating on here ;) I guess there is a consensus that any data from cookies cant be deemed reliable, nonetheless im sure someone would correct me if im wrong.

If no one but you knows why these permissions are set it seems OK that no one would be able to crack them....

Yeah, different editing rights.

Add to blog/comment on article premoderated
Add to blog/comment unmderated
Aprove blog/article entries

etc, etc....

Nick

k call me paranoid then ;) Maybe not as needy of security as CC transactions but what gsx says makes alotta sense. If you send a cookie with X permissions one day, then I have permissions another day, it could be fairly easy to suss what the other permissions are.

maybe use a few variables as a "salt" or something....that 0-5 stuff sounds risky....more so depending on your php setup...

you could also use words instead too, would make it much more difficult to figure.

>that 0- 5 stuff sounds risky

Not if I'm using serialize() though according to Jatar...?

Nick

I see what BOL means, possibly easy to recognize the serialized value when your permissions change. Like he says, depends on the level of paranoia needed. ;)

Well, I'm probably well above myself already but in for a penny, in for a pound right?

Okay, I'll 'word' them. Hell, I see no reason why I can't even alter the names of the "ENUMS" in the DB from time to time ;)

THanks alot everyone, much appreciated..

Nick

I like to keep the cookie as simple as possible. It just contains a session id. Everything is stored on the server. A session id is invalidated after say 10 minutes of inactivity. This makes messing around with the session id and effecting anything on the server rather hard.

Andreas

I agree with andreasfriedrich. The cookie should only contain a session string- something long and random, like DjDo3Ckd49dCcdQneqe03dudE0dnWIdo2XnvoP2ncJcNvDo3newDSj, and different for every session. That value should be a key to the rest of the data, stored on the server. Even if the cookie is only stored in memory (not on the hard disk), it can be manipulated by someone who knows what he's doing. Never store sensitive data there!

I can of course see the point, but the problem is that every time you want to print the guys username or ohter details you have to make a db call...

Nick