I wanna make that cookie secure from attackers. What can I do please
$cookie_encrypt = $row['uid'];
setcookie('cookie_encrypt', $cookie_encrypt, time()+60*60*365, '/');
Asked
Active
Viewed 36 times
0
-
The concept of “securing” something is too vague, unfortunately. Instead, what kind of attack scenarios are you trying to prevent? Cookie stealing, cooking tampering, replay, first party, third party? – Chris Haas Jul 05 '21 at 19:48
-
someone told me that I should make that cookie secure because some people may attack it using javascript and know the actual value I assigned to the cookie – George Jul 05 '21 at 19:55
-
they mean secure as in HTTPS and HTTP only (not client-side): RTM (specifically the function parameters): https://www.php.net/manual/en/function.setcookie.php – Lawrence Cherone Jul 05 '21 at 19:58
-
additionally, if you want to sign it, so it can't be tampered with and you can verify and decode the values etc, do something like: https://3v4l.org/2Khdn (ported from [cookie-signature](https://github.com/tj/node-cookie-signature#readme) which is what express uses, for signed cookies) – Lawrence Cherone Jul 05 '21 at 20:22
-
Encryption is a method here and would work, but you really want to know the cookie has not been modified so you should sign it. I'd suggest looking at [JWT](https://github.com/firebase/php-jwt). – Jaquarh Jul 05 '21 at 21:22