0

I am using a very poor but unique encryption method for encrypting usernames on my website and every time I go to get the username from the cookie it didn't work, so I tried to echo it out and started getting an error.

Setting cookie:
setcookie(encrypt("username", $salt), encrypt("null", $salt), time()+3600, '/');
Getting cookie:
echo $_COOKIE[encrypt("username",$salt)];
error:
Notice: Undefined index: '8up_ibR[P'
cookie value:
Name: 8up_ibR[P Value: 4nrfc Domain: localhost Path: / Expires: Thu, 12 Dec 2013 01:42:04 GMT Size: 14

EDIT: Upon further investigation using echo print_r($_COOKIE); I found out that the 2nd to last symbol([) turns into _ in the print out. I'm assuming symbols are not allowed in cookies and that should resolve my issue?

Chris
  • 2,435
  • 6
  • 26
  • 49
  • what does `print_r($_COOKIE);` return? –  Dec 12 '13 at 00:52
  • I litterally just did that lol, check the main post. Looks like its back to the drawing board for my encryption. – Chris Dec 12 '13 at 00:53
  • 1
    Just a heads up, `poor but unique` does not constitute a good encryption method. Good encryption methods are open for inspection but are computationally infeasible to crack; therein lies their strength. Using a `unique` encryption method (i.e your own) is probably substantially less secure than using one of the more popular encryption algorithms (i.e the `SHA` family for forward-only encryption and `AES`/`Triple DES` for symmetric encryption) – Jason Larke Dec 12 '13 at 00:56
  • 1
    "This string is a sequence of characters excluding semi-colon, comma and white space." http://curl.haxx.se/rfc/cookie_spec.html –  Dec 12 '13 at 00:56
  • @Jason Larke it was just meant to be temporary until I found a better algorithm. Thanks for the refrences – Chris Dec 12 '13 at 00:58
  • Probably a more relevant question though, why are you storing the username in a cookie at all? Sounds like an opportunity for some refactoring :3 – Jason Larke Dec 12 '13 at 00:58
  • @Dagon thanks for confirming that – Chris Dec 12 '13 at 00:58
  • @Jason I'm under the impression that $_SESSION doesn't last very long and I don't want users to have to always log in – Chris Dec 12 '13 at 00:59
  • 1
    @Duck If you don't need to decrypt the value again, use `SHA256` or `SHA512`, if you DO need to decrypt the value again, try using `AES`. http://stackoverflow.com/questions/3422759/php-aes-encrypt-decrypt Has a good example of `AES` with the `mcrypt` php library. – Jason Larke Dec 12 '13 at 00:59
  • @Duck http://stackoverflow.com/questions/12091951/php-sessions-login-with-remember-me The second answer (not the accepted one) looks promising. Just make sure to validate the cookie value! Otherwise anyone that sniffs the HTTP traffic can simply duplicate the cookie value in their own requests and gain access to the other user's session – Jason Larke Dec 12 '13 at 01:09
  • @Jason so pretty much I encrypt it then store it in the database and just check to see if the cookie value is the same as the one in the database and if not the cookie is spoofed? – Chris Dec 12 '13 at 01:13
  • No, that wouldn't work as if they're duplicating an existing cookie then obviously it'll match what is in the database. Instead the poster in that thread suggested hashing a combination of `username` and `IP Address` and storing the resultant hash in the cookie, to validate the cookie you'd need to perform an independent hash of the username and the current IP (`$_SERVER['REMOTE_ADDR']`) and compare it. This would be a first step to preventing cookies being duplicated across multiple IP addresses, it's not foolproof, though. – Jason Larke Dec 12 '13 at 02:00

0 Answers0