We have created a database driven website using PHP with set cookies and now need to prevent HTTP spoofing, any ideas on how to do this? we are beginners with this so any help would be greatful
Spoofing of what? HTTP is just a protocol for transferring data, it's not really something itself would be spoofed.
The thing to do is not to prevent spoofing of information, but to simply never trust the client. In terms of cookies, store a hashed pseudo-random value that you compare against the database before accepting the cookie data.
UPDATED:
Given that it is specifically cookies that you're concerned about, I'll go a little more in-depth. There are two main things to concern yourself with when storing cookies.
- Do not store the actual data
- Validate against the database
So let's say you want to have a site with users where you store personal data. In the cookie, you can store the username or user ID and a hashed security token that is also stored in the database when the user logs in. The security token is not going to be knowable, and will change with each login. Any personal information stays in the database, never in the cookie.
Some more reading on best practice: http://jaspan.com/improved_persistent_login_cookie_best_practice
If you want to prevent man-in-the-middle eavesdropping, you may want to use HTTPS, which creates a secure channel over the network, provided that adequate cipher suites are used and that the server certificate is verified and trusted.
Note: The original question was ambiguous. It is now clear that the question is about cookie spoofing.
You cannot "spoof" HTTP requests. You send a request to the server, and the server responds appropriately.
I think what you are trying to prevent is cookie spoofing. Considering that cookies are stored on the client-side, there is nothing you can do to prevent users from modifying theirs contents.
Do not store sensitive information in your cookies. They are not secure and easily read and modified by the client.
Use PHP sessions instead. The full explanation on how sessions work and how to keep them secure can be read in one of my previous answers.
Essentially, securing sessions is done on two fronts:
Preventing session fixation
Regenerate a newsession_id
every X number of requests in order to reduce the amount of time an attacker has to steal the id.Uniquely identify the client
Use the IP and/or the User-Agent to uniquely identify the client and check that value on every page load against the ones stored in the session. This is really the only two choices you have to uniquely identify the client.
Even with that in place, no solution is fool-proof and once your session_id
is compromised, you are pretty much done for.
Again, for an in-depth explanation, please see my previous answer.
Spoofing? The only real problem with compromised identity is cookie theft.
What you could do is, whenever a cookie is sent over the HTTP headers, to check this against the IP address it was issued to. For instance:
<?php
session_start();
$rec = db_query('select count(*), ip from session where session_id = "' . session_id() . '"');
list ($last_count, $last_ip) = $rec[0];
if (! $last_count) {
# add it into the database
db_query('insert into session (session_id, ip) values (' .
'"' . session_id() . '", ' .
'"' . $_SERVER['REMOTE_ADDR'] . '"' .
')');
} else {
if ($last_ip != $_SERVER['REMOTE_ADDR']) {
print "user has stolen a cookie!";
}
}
?>
But this can have a negative effect on people whose ISP issues them a dynamic IP address.
I know this has been answered but I want to add another technique which I use, its particularly useful for administration logins. Use sessions as usual but add directory protection to the mix.
That way if a session is hijacked the hijacker must also be able to get the directory login.
I use this technique for forum administration. certain forums are readily hacked and this reduces the chance of a hacker getting in and causing serious issues.
DC