views:

29

answers:

4

The question says pretty much everything. My point is, is the user able to change his cookie's values in order to appear "logged", when he's not really logged?

+1  A: 

So then if I change the user_id=1 do I become the administrator?

What if i type this into the address bar:

javascript:document.cookie=user_id=1&logged_in=true

In general it is a horrible idea to re-invent the wheal. Especially when it comes to security, a cookie should always be a very large random value. Whatever platform you are using should have a session handler already built for you.

Rook
A: 

Usually a server generated token is stored in a cookie. When the cookie expires the token is lost and the user needs to sign in again. You can't fake the token. It's not a boolean value stating whether the user is signed in or not.

Jeroen
A: 

Anything you get from the client (including cookies) is unsafe. The safe way is to set a cookie with a random hash, log the hash in the database together with an ID and a timestamp (and perhaps even IP) and then check the incoming cookies against the stored hashes. If you set the cookies to expire after some time, make sure you also reject them on the server if they arrive when they should not.

dark_charlie
-1 do not reinvent the wheal. Writing your own session handler is always a mistake. (unless your Google and you need a strange session that lasts 50 years. )
Rook
+1  A: 

Cookies aren't secure. As others here have pointed out, you shouldn't trust any data received from the client, period. That said, cookies are often used to store Session IDs for logged in users, which is sort of what you're asking.

Signing your cookies will help you detect if they've been tampered with on the client. Basically, you create a HMAC of the keys/values and a secret key, known only to the server. On each request, you re-compute the MAC: if it matches the previous hash, all is well; if not, you reject the request.

For more sensitive data, you can optionally encrypt the cookies. Most web frameworks will allow you transparently do these using some kind of "middleware" external to your application code, so the signing/validation and encryption/decryption happens for each request.

Also, you should know that simply securing your cookies doesn't guarantee, er...security :) You might still be vulnerable to Cross-site Request Forgeries.

For more information on cookies, check out this article.

elo80ka
thanks, that cleared the whole thing ;)
Rodolfo Palma
@Rodolfo Palma Or you could just store the information on the server side and use a random value like every session handler that comes with your language.
Rook