Is it easy for anyone to grab your $_COOKIE data?

Do all they need is your cookie file and then the server will just grant them whatever access that cookie stores? Or is there more to it than that? Because I plan to md5 some cookie data but want to make sure it isn't very easy f开发者_StackOverflow社区or someone to grab that data and mimic it.

Your question is confusing. A cookie is information stored on the client's computer that's sent to the server on every request (typically the one that instructed the client to store it, but not necessarily).

Therefore, anyone which intercepts the cookie while it's being sent by the server to client (for storage) or by the client to the server can reproduce the cookie (hence, the server will get the value for $_COOKIE).

Unfortunately, cookies frequently store information that, if intercepted, allows an attacker to impersonate another user. To avoid interception, https must be used. Interception is not trivial for the casual attacker (except on unprotected WiFi networks), but it's within reach for governments, ISPs and network administrators.

But your question raises bigger concerns:

Because I plan to md5 some cookie data but want to make sure it isn't very easy for someone to grab that data and mimic it.

Depending on what exactly this means, this may be a very insecure setup. A cookie can forged by any client, i.e., it can be sent even tough the server never told that specific client to store that cookie. So if you're doing something like storing in the cookie values like md5('is_admin:1'), know that anyone can forge that data, despite the md5 hash (as long as he can infer its format).

Yes, everyone who sniffes anyone's cookie can use them, unless you're using https protocol. However, even if it's FTP and attacker has direct access to that machine, he can use these cookies without problems, too. You can secure them by https or check ip address/exact user agent match.

A cookie is simply something which is sent as a part of the request by the client to the server. It is possible, then (theoretically), to transfer it from one browser to another, synchronize it in some central location, etc. If someone is able to read another's cookies then that person is fully able to "steal" the credentials.

In this particular case, there is a lot of security which can be added by use of the HTTPS encryption protocol. But, even there, depending on the implementation of the browser, if the user's computer is compromised and the cookie files themselves are copied, it is theoretically possible to break through even that. Of course, if a user's computer is compromised, there really isn't much which can be done.

Your best bet is to use HTTPS. Once that is done, then you have done everything you can to secure the connection and the cookies related to it.

Yes, the session token cookie is usually all that is needed. In most application, if a session token is compromised then the session can be hijacked and the user can be impersonated.

To answer your second question, it can be very easy or very difficult for cookies to be intercepted and compromised. Depending on how you protect them.

The primary defense for protecting cookies is using SSL/TLS to encrypt the connection between the client and server. If you are transmitting cookies without SSL/TLS then anyone on the same network or who can see a network between the two can see that cookie in plaintext and use it. So, if you care about cookie security (and session security) USE SSL/TLS.

I am curious.

"Because I plan to md5 some cookie data but want to make sure it isn't very easy for someone to grab that data and mimic it."

What is the point of this? Why would you MD5 data and store it in a cookie if you want to make sure it is protected? If it needs to be protected it needs to stay on the server.