-3

On my webpage I'm using a cookie that's set to 1 if they're admin

0 if they're not

so admins can have access to certain features,

how hard would it be for somebody to make a 0 into a 1 in their local cookie if they wanted to?

Bhavik Patel
  • 789
  • 6
  • 20
Gacnt
  • 50
  • 1
  • 1
  • 8
  • They sure are, see [Can I modify or add cookies from JavaScript?][1] [1]: http://stackoverflow.com/questions/1704991/can-i-modify-or-add-cookies-from-javascript – Marc Jan 29 '13 at 03:57
  • cookies are edible; edify yourself on security though (and use crypto-PRNG-strong session ids, so values cannot be predicted) – sehe Oct 14 '14 at 21:41
  • A quick search on Google would give you the answer. – Joshua Aug 10 '17 at 21:50

3 Answers3

4

Cookies live on the client-side, so of course they are editable. Like everything else that comes from the client, cookies cannot be assumed secure, ever. It would be very easy for someone to make themself an admin using your design.

Don't be lazy; store the privileges on the server side and only on the server side.

Matt Ball
  • 354,903
  • 100
  • 647
  • 710
  • What would you suggest? I just now made it so only people that are admins, get the cookies in the first place (basically only being myself at this point) can somebody create the cookie if they want out of thin air, or am I safe now from people making themselves admin? What would you suggest instead? I only give out 2 cookies to anybody now (was 3 including admin but not anymore) which is user_id and username – Gacnt Jan 29 '13 at 03:57
  • _"can somebody create the cookie if they want out of thin air"_ yes! _"am I safe now from people making themselves admin?"_ no! – Matt Ball Jan 29 '13 at 03:58
  • Damnit, looks like I have to revise everything before I launch my page :) Thanks for the quick response I'm just not 100% sure on how to use $_Session, $_cookie was so much easier I'll mark you as the answer in 6 minutes when I can @MattBall – Gacnt Jan 29 '13 at 03:58
  • It's not just about using the session. Somewhere on the server – a database, a text file, whatever – you need to store information that determines whether or not a user is an admin. Do you have any sort of login system? How do you determine whether or not a set of credentials (username+password) is valid? – Matt Ball Jan 29 '13 at 04:00
  • Yeah I'm using a MySQL database, with admin flag 0 or 1, I have a fully functional login/registration/email activation system going on that links to my MySQL DB, this is my first real project just kinda testing my knowledge, but I don't really understand $_SESSION as much, so I'm going to have to read up a bit @MattBall – Gacnt Jan 29 '13 at 04:01
  • There you go! All you need to do is check the value of the admin flag on the server side, when determining access to the admin-only features. – Matt Ball Jan 29 '13 at 04:02
  • In my login.php I use $_SESSION['user_id'] = $row['id']; $_SESSION['username'] = $row['username']; $_SESSION['admin'] = $row['admin']; but I can't seem to keep a user logged in, I'm using session_start() I don't really know what else to do @MattBall – Gacnt Jan 29 '13 at 04:03
  • That's a whole other can of worms, and I'm really not a PHP dev. You should probably post a separate question. If you had a bit more rep I'd say ask around in chat... – Matt Ball Jan 29 '13 at 04:06
  • I'll go back through my head first php & mysql book and figure it out, thanks for the help, never realized how dangerous cookies were, after reading around scared myself by seeing just how many vulnerabilities there are in cookies and sql injects but doesn't the session store a cookie its self? – Gacnt Jan 29 '13 at 04:09
  • 1
    Implemented correctly, the only thing stored in a cookie is a difficult-to-guess session identifier; nothing more. Lots of reading here: http://stackoverflow.com/search?q=php+session+best+practices – Matt Ball Jan 29 '13 at 04:13
  • 1
    it turns out I fully understood $_SESSIONS to begin with, I just forgot isset() on my main if statement haha, everything is working now with only 1 cookie, the session ID, but from what I've googled, if I disable that, I gotta transfer the session ID through $_GET statements, which is incredibly insecure, so I guess you're damned if you do, and damned if you don't.. Oh well, at least this way I can expire the session after 1 hour (if they stay logged in that long) as well as the user_id, username, and admin flag aren't a cookie @MattBall – Gacnt Jan 29 '13 at 04:33
1

It's actually pretty easy to edit a cookie. Extensions such as chrome edit this cookie allow for it to be done without even leaving the browser. I use this for simple things like web tracking on news paper sites that limit the amount of articles you can view. I reset the cookie count and voila, I am able to view more articles.

google edit this cookie if you want to demo it and apply it to your site.

Daniel McIntosh
  • 17
  • 8
  • 3
    You don't even need an extension to edit cookies in Chrome, or any other modern browser. The built-in developer tools let you do that. – Matt Ball Jan 29 '13 at 03:57
1

Editing a cookie is easy.

But is this what you really meant?

Session variables are stored on the server and thus cannot be modified by the client. The client only stores an ID that refers to the session.

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
  • Can someone then hack the session ID and gain access to a different session? – nf071590 Oct 14 '14 at 21:34
  • @nf071590: Session hijacking is typically prevented by doing an IP check on the server end, but yes there are absolutely scenarios where you can do this. Just two examples: (a) insecure website; (b) the session you want to hijack belongs to an individual using the same WAN IP as you. Consider an internet café, for example, though you'd need access to your target's laptop for long enough to look up and copy down their session ID. ;) Honestly, you can do that if they leave their laptop for a bathroom break but then, arguably, they deserve the Fraping that's coming to them. – Lightness Races in Orbit Oct 14 '14 at 21:35
  • Also, session IDs are typically "hard" to guess so, in combination with the IP checking, successful session hijacks are virtually unheard of. – Lightness Races in Orbit Oct 14 '14 at 21:52