[TUTORIAL] PHP - Security with Cookies

RageD · 08-28-2008, 06:14 PM

Another quick tutorial I decided to write not so long after my last one. A question (or comment really) I always here is, "Why do you use cookies? They're so insecure."

Even though cookies are clear text and can be easily altered, this is not necessarily true. If your code checks in a somewhat redundant fashion, you should have no security issues at all!

Well, let's start with a functions.php file to create the login/logout functions and we'll work our way from there

This is more of an intermediate tutorial so I'll be assuming you know the basics of PHP at the bare minimum. So, what we'll do here (examine the code to figure out exactly) will be calling the cookie and during our "check" function will be checking the cookie redundantly against the database, etc.

functions.php

PHP Code:

  <?php

/**

 * Secure Cookies Tutorial by RageD

 * (C) 2008 RageD

 *

 */

if(!defined("IN_SCRIPT"))

{

    print "Unauthorized Access";

    exit;

}

 
class Cookie

{

    /**

     * Error variable...

     *

     */

    var $err = '0';

 
    /**

     * Constructor :)

     *

     */

    function __construct()

    {

        // I normally code a MySQL connector function in my scripts which would

        // work like $this->GLOBALVAR->connect();

        // But since this is a snippet, we'll just be using the basics

        mysql_connect('localhost','USER','PASS');

        mysql_select_db('DATABASE');

        

        // See if we have any errors connecting...

        if(mysql_error())

        {

            $err++;

        }

 
        // Report errors

        if($err > 0)

        {

            print "We've encountered a MySQL Error!<br /><br />".mysql_error();

            exit;

        }

    }    

 
    /**

     * Login function, stores cookies, etc.

     *

     * @param $name

     * @param $pass

     * @bool $enc (true/false)

     */

    function login($name,$pass,$enc='true')

    {

        // Convert pass to md5 if encryption enabled. By default, it is.

        if($enc == true)

        {

            $pass = md5($pass);

        }

 
        // Now, let's continue! Query #1: Finding information :)

        $query = "SELECT * FROM users WHERE name='".$name."' AND pass='".$pass."' LIMIT 1;";

        $result = mysql_query($query);

 
        // Make sure the information given is valid

        if(mysql_num_rows($result) == 0)

        {

            print "Uh-oh! Incorrect login information.";

            exit;

        }

 
        // Passed the test, now set it...

        setcookie("PRACTICE[name]",$name, time()+3600); // Define the cookie. Let it expire after an hour

        setcookie("PRACTICE[pass]",$pass, time()+3600); // This is why encryption is recommended stores pass

    return;

????: NamePros.com http://www.namepros.com/code/508547-tutorial-php-security-with-cookies.html
    }

 
    /**

     * Logout function

     *

     * Deletes cookies :)

     *

     */

    function logout()

    {

        setcookie("PRACTICE[name]","", time()-10); // Send the cookies back, they forgot the milk! :(

        setcookie("PRACTICE[pass]","", time()-10); // No, seriously. The time()-10 means they expired 10 seconds ago

    }

 
    /**

     * Check function

     *

     * Finally, the security comes into play :)

     *

     */

    function check()

    {

    // Make sure a cookie is set too xD

    if($_COOKIE['PRACTICE']['name'] AND $_COOKIE['PRACTICE']['pass'])

    {

            // Redundancy is beautiful *tear*

            $query = "SELECT * FROM users WHERE name='".$_COOKIE['PRACTICE']['name']."' AND pass='".$_COOKIE['PRACTICE']['pass']."' LIMIT 1;";

            $result = mysql_query($query);

        

            // Check.. Grr.. They tried to pull a fast one :-| or something bugged?! :(

            if(mysql_num_rows($result) == 0)

            {

                print "Session Expired.";

            $this->logout();

                 exit;

            } else {

                    if($_COOKIE['PRACTICE']['name'] AND $_COOKIE['PRACTICE']['pass'])

????: NamePros.com http://www.namepros.com/showthread.php?t=508547
                    {

                        print "It worked!"; // Probably can comment this out :)

                    }

        }

        }

    }

}

?>

Here's the index.php file to make this all come together a little bit.

index.php

PHP Code:

  <?php

/**

 * Secure Cookies Tutorial by RageD

 * (C) 2008 RageD

 *

 */

// Script security :)

define("IN_SCRIPT", true);

require_once("functions.php");

 
// Define $session var for use of the "Cookie" class

$session = new Cookie;

$session->login("USER","PASS","false"); // Login :)

$session->check(); // Check

print "<br /><br />Let's print our cookie information:<br />Username: 

      ".$_COOKIE['PRACTICE']['name']."<br />

    Password: ".$_COOKIE['PRACTICE']['pass']."";

 
/**

 * I understand there are better ways to implement this into a script

 * However, my intent was to show the basics so people understand how

 * it all works. Other uses of the "Cookie" class (defined as $session) 

 * are below:

 *

 * $session->check(); // Will check cookies against DB

 * $session->login(USERNAME,PASSWORD,"true/false") // Enc should be 

 * either true or false. "True" recommended

 * $session->logout(); // Will obviously log a user out.

 *

 */

 
?>

To test this script, use this simple database.sql file for the database structure used here:

Code:

CREATE TABLE users (
  `id` BIGINT(10) NOT NULL AUTO_INCREMENT,
  `name` VARCHAR(32) NOT NULL,
  `pass` VARCHAR(32) NOT NULL,
  PRIMARY KEY (`id`)
);

Well if there are any questions or anything, just let me know. This is just a basic overviewing kind of assuming a lot from you guys

so contact me with anymore questions!

-RageD

tansks · 08-29-2008, 08:07 AM

Thanks and rep added.

**-Nick-** · 08-29-2008, 10:24 AM

I will check it out the very first thing in morning

will have to install it on my localhost

Thanks for the nice tutorial and code

RageD · 08-30-2008, 05:33 AM

Thanks for rep guys, hope this helps you

-RageD

3okl · 09-08-2008, 08:25 PM

thanks for good tutorial

RageD · 09-09-2008, 09:41 PM

Sure, glad to be of some service to the community!

Please, if anyone finds any holes let me know so I can patch them

Hack away at this script lol it's encouraged. Security means a lot on the web

-RageD

baxter · 09-15-2008, 08:48 AM

Thanks for sharing

You'll want to make sure you sanitize the cookie data sent as well as the username and password variables prior to sending to prevent sql injections.

I haven't tested it but passing a password variable to this script as:

Code:

null' OR id='1

would complete the sql query as:

Code:

SELECT * FROM users WHERE name='admin' AND pass='null' OR id='1' LIMIT 1;

Cheers,
????: NamePros.com http://www.namepros.com/showthread.php?t=508547

Jay

Peter · 09-15-2008, 12:14 PM

I would certainly contest this being secure.

You should NEVER put passwords in a cookie even if you MD5 it. If someone sees you have MD5'd something they can find out what you have MD5's quite easily (within a couple of hours) on any modern PC. And working out it is MD5'd is very easy considering the length of an MD5'd string.

As you are providing the username and password MD5'd in the cookie any one who manages to cause an MD5 collission can now log into your site when they get the cookie information.

Originally Posted by baxter

Thanks for sharing

You'll want to make sure you sanitize the cookie data sent as well as the username and password variables prior to sending to prevent sql injections.

I haven't tested it but passing a password variable to this script as:

Code:

null' OR id='1

would complete the sql query as:

Code:

SELECT * FROM users WHERE name='admin' AND pass='null' OR id='1' LIMIT 1;

Cheers,
????: NamePros.com http://www.namepros.com/showthread.php?t=508547

Jay

Exactly yet another security hole in this method. The variables should at least be ran through mysql_real_escape_string

Dave · 09-15-2008, 03:48 PM

Peter is right. This is far from being secure.

A good authentication system NEVER stores passwords or any sensitive information in cookies, whether they are encrypted or not. Also guys remember when members register on your sites you should always add salt to any encrypted passwords.

RageD · 09-17-2008, 03:26 PM

Originally Posted by Peter

Exactly yet another security hole in this method. The variables should at least be ran through mysql_real_escape_string

I do this quite often. Actually on my latest project I have a whole SQL_Base class with this function laid within it. As mentioned below, I normally add a salt as well as other sorts of encryptions and tests to run through. But I do see where you're coming from with storing passwords in cookies. Because cookies are clear-text, I don't usually use them myself, but they can still be effective.

Originally Posted by DomainManDave

Also guys remember when members register on your sites you should always add salt to any encrypted passwords.

Good point. On any project I do (mainly sessions, but whatever works) I usually add salts. Not sure why I didn't on this one. Guess I wrote it fairly quickly.
????: NamePros.com http://www.namepros.com/showthread.php?t=508547

-RageD

08-29-2008, 08:07 AM	#2 (permalink)
tansks NamePros Regular Join Date: Dec 2004 Location: Penang, Malaysia Posts: 874	Thanks and rep added. __________________ █ Hostegic - Premium cPanel Hosting [Softaculous \| RvSitebuilder \| R1Soft daily backups \| LiteSpeed] █ [UK] [Linux - cPanel \| Windows - WebsitePanel/Plesk] [Shared Hosting \| Reseller Hosting \| VPS]

08-29-2008, 10:24 AM	#3 (permalink)
-Nick- I'll do it Join Date: Dec 2005 Location: India Posts: 6,927 Follow @keralpatel	I will check it out the very first thing in morning will have to install it on my localhost Thanks for the nice tutorial and code __________________ Delq\|Fhur\|Kegh\|Vhir\|Juhy\|Ruuz\|Jyos\|Jupt\|Vhek Webmaster Blog \| Software Downloads Makeup & Beauty Tips \| Sponsor Ads

09-15-2008, 08:48 AM	#7 (permalink)
baxter NamePros Regular Join Date: Apr 2006 Posts: 363	Thanks for sharing You'll want to make sure you sanitize the cookie data sent as well as the username and password variables prior to sending to prevent sql injections. I haven't tested it but passing a password variable to this script as: Code: null' OR id='1 would complete the sql query as: Code: SELECT * FROM users WHERE name='admin' AND pass='null' OR id='1' LIMIT 1; Cheers, ????: NamePros.com http://www.namepros.com/showthread.php?t=508547 Jay __________________ Canadian Domain Registrar Ready.ca

08-30-2008, 05:33 AM	THREAD STARTER #4 (permalink)
RageD Senior Member Join Date: Apr 2005 Location: Joliet, Illinois Posts: 1,177	Thanks for rep guys, hope this helps you -RageD

09-08-2008, 08:25 PM	#5 (permalink)
3okl First Time Poster! Join Date: Sep 2008 Posts: 1	thanks for good tutorial

09-09-2008, 09:41 PM	THREAD STARTER #6 (permalink)
RageD Senior Member Join Date: Apr 2005 Location: Joliet, Illinois Posts: 1,177	Sure, glad to be of some service to the community! Please, if anyone finds any holes let me know so I can patch them Hack away at this script lol it's encouraged. Security means a lot on the web -RageD

09-15-2008, 03:48 PM	#9 (permalink)
Dave Senior Member Join Date: Jun 2007 Location: NamePros.com Posts: 1,400	Peter is right. This is far from being secure. A good authentication system NEVER stores passwords or any sensitive information in cookies, whether they are encrypted or not. Also guys remember when members register on your sites you should always add salt to any encrypted passwords.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)