Jump to content

Cookies oranized with arrays Oo?


rootKID

Recommended Posts

Hi all, been a while, as always.

So, new project. I am trying to (finally) make a cookie login for my portfolio website, which is not online yet, but will soon.

I am using sessions so far, which are great to organize when it comes to using them. Look at picture attached for sample.

So, for cookies, i am trying to achieve the same thing here but with not luck so far. I am using functions (not oop or anything like this, just normal psedual php...) to create the cookies... however i do know that cookies are also arrays (am i wrong? Oo?) So my questions is, when setting a cookie, how do i do as shown in the picture and how to i fetch them? The reason i do this is because i use LOGS to see the difference for each user and arrays and... well just about anything really, also for stats purposes, which will make my life much more easier (my own opinion, not sure if there are another way?)

Anyways, hope you guys can give me a hint as to how to make the cookie go down a level or 2 in an/the array?

Also, i did look on google and found serializing and unserializing? But i read on PHP.NET that it was a bad idea since attackers could use this for their advantage? Is this also correct understood?

Thanks a lot in advance! Been struggling with this one for quite a while now :D

Picture can be seen here:

huihhihjknknjk.jpg

huihhihjknknjk.jpg

(note that i dont ave space for a new attachment at the moment and i dont know how to clear it out either, waiting for someone else to answer my  other topic :P)

Thanks a lot in advance! :D

Link to comment
Share on other sites

Quote

however i do know that cookies are also arrays (am i wrong? Oo?)

Yes, cookies are just regular key-value pairs.  Each cookie has a name, and a value.  Like a variable.

To set a cookie, you use the setcookie function.  To read cookies that were sent in the current request, they'll be in the $_COOKIE array similar to $_GET or $_POST.

 

Quote

Also, i did look on google and found serializing and unserializing? But i read on PHP.NET that it was a bad idea since attackers could use this for their advantage? Is this also correct understood?

 

More or less.  You could store a serialized array in a cookie (check the maximum value for cookies in various browsers to decide if that's a good idea), but you're storing those cookies on the user's computer.  They can easily change anything about it and send it back, so you probably don't want to unserialize random data that someone sends you.  Cookies are no more secure than $_GET or $_POST, so treat them like that.  If you wouldn't use eval to execute code sent via $_POST, then don't do it with a cookie either.  Cookies are not often used to store all of the data themselves, they are used like PHP's sessions instead.  Notice that you have a PHPSESSID cookie, that's PHP's session ID.  Only the ID of your session is saved in the cookie, the actual session data is saved on the server and PHP looks it up from the ID.  Attackers can't change the session data, only the ID and hope that the new ID still points to an active session and that the server isn't also doing other checks to try to prevent session hijacking.

The only data that goes in a cookie is non-private data where it doesn't matter if it gets deleted or changed.  Like a language preference.

Link to comment
Share on other sites

ohh ok, that makes more sence, i also knew that sessions were server based, just not the difference in security tho. Also i did knew that i needed to use the setcookie function, however, how to i use it so that is will be like the session in the array shown? Because i am using it this way to see the difference...

This is what i have tried to far...

to set function:

@setcookie(
"[USER_COOKIE_LOGIN][USER_DATA_FLOW]".$SETTINGS['cookie_prefix'].$name,
$value,
$expire_time,
$SETTINGS['cookie_path'],
$SETTINGS['cookie_domain'].'; HttpOnly'
);

and to read/get the cookie:

function LOGIN_COOKIE_get_cookie_v1( $name ){
	global $SETTINGS;
	if(
		isset(
			$_COOKIE[ '[USER_COOKIE_LOGIN][USER_DATA_FLOW]' . $SETTINGS['cookie_prefix'].$name ]
		)
		AND
		!empty(
			$_COOKIE[ '[USER_COOKIE_LOGIN][USER_DATA_FLOW]' . $SETTINGS['cookie_prefix'].$name ]
		)
	){
		return urldecode(
			$_COOKIE[ '[USER_COOKIE_LOGIN][USER_DATA_FLOW]' . $SETTINGS['cookie_prefix'].$name ]
		);
	} else {
		return FALSE;
	}
}

ideas on how to set them? If this helps a bit?

Thanks a lot in advance! :)

Link to comment
Share on other sites

Square brackets may or may not be supported in various browsers as a cookie name.  You can always see what the browser sends the server using print_r($_COOKIE).  I would recommend using only alpha-numeric characters plus underscores and hyphens for cookie names.

Link to comment
Share on other sites

but that is the thing, i have done so and it sends either nothing or just the name as normal. Any ideas on how to do this? Maybe add in a sample? Because im kinda in a square box of no ideas at the moment... 😕

Link to comment
Share on other sites

Well i have gotten the normal naming to work now, but it still won't for some reason add in the array 😕

This is my current code...

## BETA STAGE OF FUNCTIONS - DO NOT USE YET PUBLIC! - V1

// Cookie Setup
$SETTINGS['cookie_prefix'] = ''; // This allows you to have multiple trackers, eg for demos, testing etc.
$SETTINGS['cookie_path'] = ''; // ATTENTION: You should never need this unless the above applies eg: /projectname
$SETTINGS['cookie_domain'] = ''; // set to eg: .somedomain.com or is subdomain set to: .sub.somedomain.com

//==========================================================================================================
// (COOKIE LOGIN)
// -> User Data Flow (FUNCTION NAME: "LOGIN_COOKIE_user_data_flow_v1")
// makes & creates $CURUSER! and created db flow with user information!
//////////////////////////////////////////////////////////////////////////////////////////////////////////
// Also Known As: (COOKIE_BASED_LOGIN_)
// Also Known As: (LOGIN_COOKIE_)
//==========================================================================================================

function LOGIN_COOKIE_user_data_flow_v1(){
	global $dblink, $SETTINGS;
	unset($GLOBALS["CURUSER"]);
	if(
		!LOGIN_COOKIE_get_cookie_v1('id')
		&&
		!LOGIN_COOKIE_get_cookie_v1('username')
		&&
		!LOGIN_COOKIE_get_cookie_v1('email')
		&&
		!LOGIN_COOKIE_get_cookie_v1('password')
	){
		return FALSE;
	}
	$id = 0 + LOGIN_COOKIE_get_cookie_v1('id');
	$sql_1 = "
	SELECT
		user.id,
		user.username,
		user.email,
		user.password,
		user.FK_user_details_id
    FROM
        user
	WHERE
		user.id = '$id'
	";
	$result_1 = $dblink->query($sql_1) or die($dblink->error);
	$row_1 = $result_1->fetch_assoc();
	if(!$row_1){
		return FALSE;
	}
	$GLOBALS["CURUSER"] = $row_1;
	return TRUE;
}

//==========================================================================================================
// (COOKIE LOGIN)
// -> Set Cookie (FUNCTION NAME: "LOGIN_COOKIE_set_cookie_v1")
//////////////////////////////////////////////////////////////////////////////////////////////////////////
// Also Known As: (COOKIE_BASED_LOGIN_)
// Also Known As: (LOGIN_COOKIE_)
//==========================================================================================================

function LOGIN_COOKIE_set_cookie_v1( $name, $value, $expires = 0, $sticky = 1 ){
	global $SETTINGS;
    if($sticky == 1){
        $expire_time = time() + 60*60*24*365;
    } else if($expires){
        $expire_time = time() + ($expires*86400);
    } else {
        $expire_time = FALSE;
    }
    $SETTINGS['cookie_domain'] = $SETTINGS['cookie_domain'] == "" ? "" : $SETTINGS['cookie_domain'];
	$SETTINGS['cookie_path'] = $SETTINGS['cookie_path'] == "" ? "/" : $SETTINGS['cookie_path'];
    if(PHP_VERSION < 5.2){
        if ($SETTINGS['cookie_domain']){
            @setcookie(
				// ['USER_COOKIE_LOGIN']['USER_DATA_FLOW'][$SETTINGS['cookie_prefix'].$name],
				// '[USER_COOKIE_LOGIN][USER_DATA_FLOW]'.$SETTINGS['cookie_prefix'].$name,
				//"[USER_COOKIE_LOGIN][USER_DATA_FLOW]".$SETTINGS['cookie_prefix'].$name,
				$SETTINGS['cookie_prefix'].$name,
                $value,
                $expire_time,
                $SETTINGS['cookie_path'],
                $SETTINGS['cookie_domain'].'; HttpOnly'
            );
		} else {
            @setcookie(
				// ['USER_COOKIE_LOGIN']['USER_DATA_FLOW'][$SETTINGS['cookie_prefix'].$name],
				// '[USER_COOKIE_LOGIN][USER_DATA_FLOW]'.$SETTINGS['cookie_prefix'].$name,
				//"[USER_COOKIE_LOGIN][USER_DATA_FLOW]".$SETTINGS['cookie_prefix'].$name,
				$SETTINGS['cookie_prefix'].$name,
                $value,
                $expire_time,
                $SETTINGS['cookie_path']
            );
		}
    } else {
        @setcookie(
			// ['USER_COOKIE_LOGIN']['USER_DATA_FLOW'][$SETTINGS['cookie_prefix'].$name],
			// '[USER_COOKIE_LOGIN][USER_DATA_FLOW]'.$SETTINGS['cookie_prefix'].$name,
			//"[USER_COOKIE_LOGIN][USER_DATA_FLOW]".$SETTINGS['cookie_prefix'].$name,
			$SETTINGS['cookie_prefix'].$name,
            $value,
            $expire_time,
            $SETTINGS['cookie_path'],
            $SETTINGS['cookie_domain'],
            NULL,
            TRUE
        );
	}
}

//==========================================================================================================
// (COOKIE LOGIN)
// -> Get Cookie (FUNCTION NAME: "LOGIN_COOKIE_get_cookie_v1")
//////////////////////////////////////////////////////////////////////////////////////////////////////////
// Also Known As: (COOKIE_BASED_LOGIN_)
// Also Known As: (LOGIN_COOKIE_)
//==========================================================================================================

function LOGIN_COOKIE_get_cookie_v1( $name ){
	global $SETTINGS;
	// $SETTINGS['cookie_prefix'].$name
	// $_COOKIE[]
	// $_COOKIE[ "[USER_COOKIE_LOGIN][USER_DATA_FLOW]" . $SETTINGS['cookie_prefix'].$name ]
	// $_COOKIE[ '[USER_COOKIE_LOGIN][USER_DATA_FLOW]' . $SETTINGS['cookie_prefix'].$name ]
	if(
		isset(
			$_COOKIE[ $SETTINGS['cookie_prefix'].$name ]
			//$_COOKIE[ '[USER_COOKIE_LOGIN][USER_DATA_FLOW]' . $SETTINGS['cookie_prefix'].$name ]
		)
		AND
		!empty(
			$_COOKIE[ $SETTINGS['cookie_prefix'].$name ]
			//$_COOKIE[ '[USER_COOKIE_LOGIN][USER_DATA_FLOW]' . $SETTINGS['cookie_prefix'].$name ]
		)
	){
		return urldecode(
			$_COOKIE[ $SETTINGS['cookie_prefix'].$name ]
			//$_COOKIE[ '[USER_COOKIE_LOGIN][USER_DATA_FLOW]' . $SETTINGS['cookie_prefix'].$name ]
		);
	} else {
		return FALSE;
	}
}

//==========================================================================================================
// (COOKIE LOGIN)
// -> Logout Cookie (FUNCTION NAME: "LOGIN_COOKIE_logout_cookie_v1")
//////////////////////////////////////////////////////////////////////////////////////////////////////////
// Also Known As: (COOKIE_BASED_LOGIN_)
// Also Known As: (LOGIN_COOKIE_)
//==========================================================================================================

function LOGIN_COOKIE_logout_cookie_v1( $name ){
	LOGIN_COOKIE_set_cookie_v1($name, '-1');
}

Any ideas on what i can do to change this?

Link to comment
Share on other sites

I'm not sure what your specific problem is.

I would not store any version of a password in a cookie though, even if it's hashed.  Just store a user ID and a token.  Generate a new token for every request, so that each token is only used once.  When you check the cookies to validate the user, compare the cookie token with the token in the database for that user, and if it's correct generate a new cookie, save it in the database, and update the cookie.  Use single-use tokens instead of saving personal details in the cookie.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...