Hi there nVee,

Welcome to the forum!

Are you wanting to just check to see if the cookie that is set has the correct data stored in it that you set? if so the easiest way to do this is:-

if(isset($_COOKIE['username']) && ($_COOKIE['username'] == $username))
{
//yes it has the value i expected
}
else{
//NO the cookie is wrong!
}

Hope that is a little clearer now..

Cheers,

MRb

Thank you Matthew. My question is a little more complex. I am more asking on a way to secure my cookies a little more.

I know way to little about headers to know what a hacker can gain access to. I however do know that with certain firefox plugins, its not difficult to manipulate header information before it gets sent, so the scenario i see here is:

Hacker gains access to a cookiefile's content. He then attempts a login, but before it is processed, manipulates the content before it gets sent, obviously now with the users cookie info. The server does not know better, and checks if the cookie username is infact the same, and if it is, bobs your uncle, he is in :) Im not sure if this makes sense, and if it is as simple as described, but I am working on a project for a client which has the potential to get a lot of traffic, and I would like to avoid embarrasing scenarios.

What I am looking for is a way to secure my cookies a little more. One way I came up with, and hope someone can expand on my idea, maybe see it it is worth the time, is:

if(user is authenticated) {
$rand = rand(0,1000000);
set_cookie(db_id,$rand,time()+7200);
$dbstore = md5($rand);
// SQL QUERY TO UPDATE $dbstore to the users database entry under cookie_id
}

Now when a user wants to returns:

(if cookie is set) {
// connect to db, and get last cookie_id
$cookie_db = $result["cookie_id"];
$cookie_local = md5(db_id);
if($cookie_local == $cookie_db) {
// USER has the correct cookie value, let him through
} else {
// nice try ... :)
}

Now this sounds like a lot of work, and if it is more secure, I guess its worth doing it this way, but I would assume that a hacker would know how to encrypt the cookie db_id and just use that value to validate his login, I dont know...

Any suggestions?

Hi there nVee,

Well your certainly going about it the right way, I do the same thing with the cookie data by creating a random string with mixing 2 arrays and then shuffling the output to make the value different everytime a user logs in. I store this value, along with the first 3 letters of the username, and add that the the end of the string with a seperator - something like a * or -, just so that I can use strrchr to isolate the data.

Then add the data to the database, its just a matter of preference whether you md5() it, for debug, personally I dont, once the system is ready, just for the extra measure, I add the encryption.

So in answer to your question, the example you have given will do the trick, from as much as I know, nothing is bullet proof. Other than whats been discussed I dont know of any other method of making cookies more secure, but just having a random value (same as the db) and the users password, should be good enough, if anyone can correct me I would be much obliged...

Cheers,

MRb

Well, don't forget - sessions are indeed cookie based, that is, the only way you keep a connection between a user's browser and the session on the server is via the PHPSESSID cookie. If cookies are not supported, this is appended to the query string.

With that in mind, as always, "less is more." I'd do all the work in sessions only, giving the PHPSESSID cookie as the only point of entry for potential abuse. PHPSESSID values are encrypted, it would be difficult (but not impossible) to use this alone to manipulate a login session by changing the value.