8

In some of my posts, when I have stored user information in cookies, all the comments and answers have said something like, "... answer to problem ... but DON'T USE COOKIES TO STORE USER INFORMATION. IT'S INSECURE."

In one of my test websites, I store a cookie called "user" that holds the logged in user's username, as well as a session variable. I know this may be personal information, but on the webpage it says the username, so would it really matter?

It would matter if a hacker could get onto my website to change the value of the "user" cookie and session, and log into someone's account without their username.

Is this possible? If so, how?

Also, if I need to update my security, how would I have an option of "Stay Logged In" without a cookie?

Thanks for any help.

Jonathan Lam
  • 16,831
  • 17
  • 68
  • 94
  • 4
    Cookies *are* in control of the user. Anyone can add, delete, or alter the value of any cookie. – Gumbo May 03 '14 at 20:20
  • @Gumbo do you have a suggestion as how i could save user data without using cookies? – Jonathan Lam May 03 '14 at 20:28
  • Use sessions only. A session’s data is stored on the server side and the client gets only the ID. – Gumbo May 03 '14 at 20:29
  • @Gumbo don't session variables end after the browser closes? how could i make it last? – Jonathan Lam May 03 '14 at 20:30
  • 1
    With cross site scripting it's possible to steal a cookie. The session cookie stores the session ID only (meaningless, no actual user data in it), session vars and their values are on your webserver. For your 'keep me logged' see e.g. [link](http://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach) – Fven May 03 '14 at 20:41
  • @Mno thanks, that link helps – Jonathan Lam May 03 '14 at 20:44
  • 1
    Try Googleing sessionless cookies. – Kohjah Breese May 03 '14 at 21:31
  • 2
    You can also save session data in a database, that way you can restore the session when the user returns to your site. here is a tutorial: http://shiflett.org/articles/storing-sessions-in-a-database – Ronny vdb May 03 '14 at 22:21
  • 2
    Javascript webStorage and `$_SESSION` are two alternatives you may want to use. `$_SESSION['username']` is far better than `$_COOKIE['username']` since you can trust your users not to be able to alter `$_SESSION` data directly. – Scott Arciszewski May 09 '14 at 13:59
  • dose my answer satisfy you? – Abilogos Dec 10 '20 at 06:53

1 Answers1

2

Yes, Cookies are stored in Client Side and can be retouched

so how to prevent intruders from modifying data? i want to introduce two mechanism for this:

Store in Session, access with Cookie

because Http is a stateless protocol, server will save a cookie usually name session_id and client will send it with every request. with this mechanism server finds out which user is requesting.

server can store user data in so called Session Variable and can access them Only In Server and Client CAN NOT Modify them.

example:

on server`s session storage (disk, db or ram):

27: ["username" => "foo"]
35: ["username" => "bar"]
95: ["username" => "fuzz"]

on each client`s cookie:

client 1:

"session_id" : 27

client 2:

"session_id" : 35

client 3:

"session_id" : 95

this method has a Downward :

Every data have to store in server, and it can consume server`s space.

Store in Cookie, access with Key

another approach is to store data in users cookie, but before storing them, Encrypt them with a key.

since they are Encrypted and Client hasn't access the key, intruders couldn`t make any valid change in data.

in this approach you have to only store the Encryption Key on the server.

it dosen't consumes server's space (disk or ram)

Downward : since every data are sending from client in every http request. it consumes Server's Bandwidth.

for Example: Laravel Framework's Cookie are Encrypted.

Abilogos
  • 4,777
  • 2
  • 19
  • 39