开发者

How someone can re-use cookies?

In my login application, if a user want to remember his login information, i set two following cookies:

setcookie( "userid", "my_name", time()+3600*24*30, "/", "mydomain.com" ); 
setcookie( "login_key", "d776a29aba831a7d71e964256c3e1817", time()+3600*24*30, "/", "mydomain.com" ); 

Now, if the user has stored login info on a public computer, anyone can see the cookies very easily.

Now my question is that if someone accesses these cookies, how he can use them on another computer? Would it be as easy as setting up a PHP file and adding above lines in it? Or it is possible but n开发者_如何学Cot easy?

PS. The login_key is not password, but its always same.


there are addons for browsers which lets the users to edit cookies

https://addons.mozilla.org/en-us/firefox/addon/add-n-edit-cookies/

if the hacker gets some cookies, they just use some kind of browser addons as stated above and try to put the cookies which they have ..

theres really no way to completely get protection against this. but you can rely on the HTTP_USER_AGENT upto some extent.

<?php

session_start();

if (isset($_SESSION['HTTP_USER_AGENT']))
{
    if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
    {
        /* Prompt for password */
        exit;
    }
}
else
{
    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

?>

More here and also you can compare the IP address also..(but many will use remember me option and generally home users will have dynamic IP )


Yes that is the downside of cookies. Your login_key I assume is talking to your database right? If so store additional info in the database for that key such as IP and user agent, then compare them as well to try to restrict login from another computer.


It's very easy. You just go to your browser's cookie storage and modify it. Thereafter your browser owns the cookie as much as its original recipient did.

In my case (Chrome 12), cookies are stored in C:\Users\PJ\AppData\Local\Google\Chrome\User Data\Default. Opening this file with a hex editor shows me it's an SQLite database, which can be accessed and modified pretty easily.

Indeed, the whole point behind cross site scripting (XSS) attacks is to get your session cookie, store it in the attacker's browser and thus hijack the victim's session.


It is possible to edit a cookie, in fact it's not just possible but easy. You should always assume users have this ability.

In general it's best to store the values encrypted with a key which you only store on the server. That way can see the cookie, however they can't alter it because they don't have the private key on the server. That would be my recommendation at least.

You could also only store a UUID in the cookie, and then store the persistent info (such as login name, login time etc) in the database.


If your cookies are just constants that are not bound to a time, IP address, User-Agent string or anything that could be used to determine one computer from another, then anyone who could read them could send them unmodified to your app, and it will not be able to tell the difference between you and that guy. This is just as easy as sending the same Cookie header, which is a trivial task for anyone who could be interested in doing it.

I would recommend you reading some articles on securing HTTP sessions first. PHP has a lot of examples on how to properly do it. (Unfortunately, it also has a lot of bad examples, so be careful.)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜