when are cookies sent from the user?
I have a class that has a function, lets say class.php:
class fun {
public function get_cookie() {
$old_cookie = $_COOKIE['mycookie'];
}
public function ssl() {
//redirect from http to https
}
In another php file, lets say index.php:
//include fun class
$fun = new fun;
$fun->ssl();
$fun->get_cookie();
My question is since the function get_cookie is after $fun->ssl() does the user send the cookie encrypted? or since the cookie cod开发者_Python百科e is coded before the $fun->ssl() is executed, the cookie gets sent unencrypted?
Never send anything via cookies which requires encryption.
Regardless of the answer to the actual question posed here, the contents of your cookies should be considered to be publically accessible and insecure.
Firstly, the entire set of cookies for the site is sent (in both directions) with every single web request. So even if you successfully encrypted them with SSL in this particular request, the user would only need to make a plain HTTP request for an image on your site, and he'd transmit them and get them sent back unencrypted.
Secondly, it is not unheard of for cookies to leak between sites. Many cross-site scripting hacks exist which can allow third-parties to get hold of your user's cookies. These would not be stored encrypted on the user's machine, even if they were sent via SSL.
So I'll repeat my initial statement again: never send anything via cookies which you need to keep secure.
The Wikipedia article has a very nice explanation of how cookies work. Basically, cookies are sent along with the request header. So unless the connection is being made via HTTPS
then the cookie is being sent in the clear.
The cookie is sent before your code is running. PHP reads the header, fills the global variable $_COOKIE[] and then executes your code. So if somebody makes a request with HTTP, he will get the cookie unencrypted.
When you create the cookie, you can define, that the cookie is only sent to pages requested with HTTPS. You do this with the functions session_set_cookie_params()
or setcookie()
with the $secure
parameter. Such cookies won't be sent, if a page is requested with HTTP.
精彩评论