The problem is that the cookie is in the visitor’s machine and is available easily and anyone can edit it.
Imagine my id is "Peter". I’m on your site, with login. I’ll take a look at Cookie and see inside "id = Peter".
I’m going to ask a colleague what his id is, he’s going to tell me what it is (for example) "maximo". I will put a cookie with "id = maximum" and I could connector myself like it.
It’s not very safe ...
This requires that the cookie contains enough information for you to know who is logged in (not only your id, but also other information that you can mix to check if they are correct, for example visitor id, your age, your zip code etc ...) and also that the cookie is encrypted.
The difficulty is that you cannot have an asymmetric encryption because you will have to read the cookie to carry information.
Therefore, you must determine what you need to store, prepare the data as a string, encrypt the string and place it in the cookie.
After reading, you will have to decipher the cookie and remove the "string" and check the integrity. You can for example encrypt according to the date of presentation of the Cookie, the location of the visitor etc ... So if someone managed to "break" the cookie, he will also need to know the geographical location of which he wants to usurp identity, which quickly becomes complicated.
Here is a small class of encryption that can help you. I obviously can’t show you the full path I use to encrypt my cookies.
class Chiffrement
{
// Cipher:
// cast-128 gost rijndael-128 twofish arcfour cast-256 loki97 rijndael-192
// saferplus wake blowfish-compat des rijndael-256 serpent xtea blowfish
// enigma rc2 tripledes
// Modes:
// cbc cfb ctr ecb ncfb nofb ofb stream
private static $cipher = MCRYPT_RIJNDAEL_256; // Cipher
private static $mode = 'cbc'; // Mode (blocoss)
public static function crypt($data,$key)
{
$keyHash = md5($key);
$key = substr($keyHash, 0, mcrypt_get_key_size(self::$cipher, self::$mode) );
$iv = substr($keyHash, 0, mcrypt_get_block_size(self::$cipher, self::$mode) );
$data = mcrypt_encrypt(self::$cipher, $key, $data, self::$mode, $iv);
return base64_encode($data);
}
public static function decrypt($data,$key)
{
$keyHash = md5($key);
$key = substr($keyHash, 0, mcrypt_get_key_size(self::$cipher, self::$mode) );
$iv = substr($keyHash, 0, mcrypt_get_block_size(self::$cipher, self::$mode) );
$data = base64_decode($data);
return mcrypt_decrypt(self::$cipher, $key, $data, self::$mode, $iv);
}
}
I will complete to answer on the comet: in the case of databases, sessaos, it is very difficult to know where the data are. And really, it doesn’t matter. If a person can make an SQL injection, they don’t need to know "exactly where" the data is: they need to know how to read the data. And enough.
So, think that everything is fine because the data is not on the server and a joke: what you need and protect the lit, then, avoid "give the key to the house". The difficulty is that the visitor... must have the key to access! It means that the key will be in the browser.
The major problem is the link between the key and the data and the main question is "how to avoid copying the key and, worse, how to prevent a person understanding the key system to make a copy equal to what looks the same".
Analyzing the Cookie in your browser allows you to easily see that it has that are not protected: vc will var your id for example. With a type software https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=fr you can modify the cookie.
This means that you need to modify the cookie to avoid modification, put but that the Id, create a link between the cookie data.
The goal will never be to put all the info on the cookie: the goal is to prevent the cookie modification and have the ability, on the server side, to know that the key this coreta. Then, with a coreta key, reading the BDD data is easy.
Saving the user ID is sufficient.
– bfavaretto
Check the following in the browser console
console.log(StackExchange.options.user)
– brasofilo
@bfavaretto, if I keep something beyond the ID, it’s bad?
– ptkato
@Patrick only makes it worth saving something that has no importance to be accessed by the customer (such as browsing preferences, etc.). The rest is better to stay in the session anyway, so the client’s browser has no way to access the data. If you want to make the session a little more robust, you can associate with it the current IP of the user for example (beware of side effects, however).
– Bacco
You can even save password to cookie or Session as long as it’s encrypted. The advantage of saving this data in cookie, in client or server, is to save resources of connection with database in all requests that require and identification and authentication.
– Daniel Omine