tags:

views:

248

answers:

4
Q: 

Making cookies with php and perl

I am trying to set a cookie using PHP, so it's the same as the one output by the Perl code below:

my %auth;
$auth{'username'} = $username;
$auth{'password'} = $password;
my $wholesaleauth = $co->cookie
(
 -name=>'wholesaleauth',
 -value=>\%auth,
 -expires=>'+1h',
 -path=>'/'
);

Now I do not know perl and all and do not want to change the perl code. I need to basically mimic the cookie. When I look at the cookie in my chrome cookie management it says the value is:

password&PASSWORD&username&USERNAME

I am trying to basically mimic that but in PHP.

+1  A: 

That cookie doesn't look quite right, what library are you using in perl (the $co->cookie parts)? I'd suggest CGI::Cookie in perl:

http://perldoc.perl.org/CGI/Cookie.html

Then you can get cookies in PHP via the $_COOKIE['cookiename'] variable, and set them via setcookie:

http://php.net/manual/en/function.setcookie.php

sdcoder  2010-01-14 03:30:38
I am just looking at the script I am working with. I did not write it, I do not know any perl at all. Basically I am rewriting the login using php but then it will redirect to the perl code with a set cookie.
mikelbring  2010-01-14 03:40:57
+2  A: 

not tested and $value is made up. Put in your own $value

$username="username";
$password="password";
$auth['password']=$password;
$auth['username']=$username;
$value = "password\&".$auth['password']."\&username\&".$auth['username'];
echo $value;
setcookie("wholesaleauth", $value, time()+3600,"/");

see the PHP manual for more info

ghostdog74  2010-01-14 03:35:31
Didn't seem to work, adds %'s into the content for the cookie.
mikelbring  2010-01-14 03:44:08
@mikelbring: Those `%`s are part of the standard way to encode strings (see http://en.wikipedia.org/wiki/Percent-encoding). I am left to wonder why you are in charge of coding anything related to web site security as you seem not to know enough to know what you don't know.
Sinan Ünür  2010-01-14 07:20:56
I was wondering my self why the perl script puts the username and password into the cookies, but that is something I cannot change. I am simply making a php front door to the perl script, where the user logins into the site using php and is able to do varies user related functions (change password), I needed to be able to replicate the cookies the perl uses for user auth so the user can go to that part of the site with out re-logging in.
mikelbring  2010-01-14 15:23:17
mikelbring  2010-01-14 15:30:45
+3  A: 

I understand you are only trying to port the existing script. However, assuming those are really the user name and password people used to log in to the site, I would say you have a major security hole.

Other than that:

#!/usr/bin/perl

use strict; use warnings;

use CGI::Cookie;

my %auth;
$auth{'username'} = 'not safe';
$auth{'password'} = 'get me outta here';

my $wholesaleauth = CGI::Cookie->new(
    -name=>'wholesaleauth',
    -value=>\%auth,
    -expires=>'+1h',
    -path=>'/'
);

print "Set-Cookie: $wholesaleauth\n";

Outputs:

Set-Cookie: wholesaleauth=password&get%20me%20outta%20here&username&not%20safe; path=/; expires=Thu, 14-Jan-2010 08:05:12 GMT

Cookies work in a common way regardless of the language or library used to construct or output them.

See also the section titled drawbacks of cookies.

Sinan Ünür  2010-01-14 07:15:40
+1 Always important to understand the underlying protocol itself when trying to make something work in code. Glad you posted the link to Wikipedia...and I'm sure it references the original RFC.
AJ  2010-01-14 15:50:19
I already informed the client that the perl code wasn't very well secure when I noticed it stores the password and username in the cookie, but they don't have the budget for a full rewrite so this is what I have to work with. Plus I do not know perl, just making a user interface in php.
mikelbring  2010-01-14 15:53:59
@AJ: For reference, I think cookies are described in http://www.faqs.org/rfcs/rfc2965.html
Sinan Ünür  2010-01-14 19:36:35
A: 

I was able to get it to work properly but using setrawcookie instead. That would not use percent coding and was able to be identical to the perl set cookie.

mikelbring  2010-01-14 15:47:51

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases