1

I have a script which takes arrays to shuffle them and then stores them into a cookie, so that user will have shuffled array only once.

Here's the script:

$shufflecookie = $_COOKIE['shuffle'];
                
if (isset($_COOKIE['shuffle'])) {
  $items = unserialize(gzuncompress(base64_decode($shufflecookie)));
}
else {
  shuffle($items);
  $items_serialized = base64_encode(gzcompress(serialize($items)));
  setcookie("shuffle", $items_serialized, 0, "/");
}

Is it safe to do that? or maybe there's better way of storing this data? Thanks

UPD. Thanks for helping. What I did is just replaced cookie with session. So new code is:

$shufflecookie = $_SESSION["shuffle"];
                
if (isset($_SESSION["shuffle"])) {
  $items = unserialize(gzuncompress(base64_decode($shufflecookie)));
}
else {
  shuffle($items);
  $items_serialized = base64_encode(gzcompress(serialize($items)));
  $_SESSION["shuffle"] = $items_serialized;
}
Mark
  • 704
  • 9
  • 16
  • 3
    Define 'safe'... If the user has the data, it can decrypt the data. – Willem Mulder Aug 17 '12 at 13:28
  • 2
    This sounds suspiciously like caching. Have you looked at actual caching solutions like APC or memcached? – Blake Aug 17 '12 at 13:28
  • 2
    Users can disable cookie, also remember that. – The Alpha Aug 17 '12 at 13:29
  • No problem if users will have disabled cookies. They just won't get randomized array. Can I add salt to the string, so that users can't decrypt it without knowing it? And so that I can decrypt it on the server side itself since I will know the salt? – Mark Aug 17 '12 at 13:33
  • [Read this](http://stackoverflow.com/questions/606179/what-encryption-algorithm-is-best-for-encrypting-cookies). – The Alpha Aug 17 '12 at 13:46
  • Ah! posted you sample code this time __AND__ asked a question – Waygood Aug 17 '12 at 13:47
  • 1
    You could save the different permutations on the session. session_start(); // store session data $_SESSION['shuffle'] = $shuffledArray; This is safer than using cookies but a hacker could in principle still hijack the session and access the data that way. Depends on how sensitive your data is. – Asciiom Aug 17 '12 at 13:33
  • You might not need all that encoding and compressing if you are saving to a session, as the session data is never sent anywhere. Only the session ID is sent to the user as a cookie. – T0xicCode Sep 10 '12 at 15:40

1 Answers1

0

Since asking the question you appear to have updated the question with a secondary answer.

A downfall of storing data in a cookie is that this is stored on a clients pc in clear text (unless encrypted server side first). Even if you do encrypt the data there is always potential that a user will manage to decrypt it. Dependant on the time to live for the cookie there is also a possibility the cookie will survive beyond the life of the browser (ie after shutdown). This introduces the possibility that it may not be your client changing the data in the cookie prior to it being sent back to the server at a later request for a page.

Storing the information in a session on the other hand can help ensure that the information is stored server side and stops the client being able to view this information. Usually when using sessions you simply store the session ID in the cookie to identify which session the user was a part of.

Therefore any data that should be secure should be kept within a session rather than a cookie.

Peter
  • 773
  • 1
  • 7
  • 23