Re: Information on Cookies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 15 Oct 2008, at 16:04, Ben Stones wrote:
Can you explain to me the benefits of hashing/encrypting/md5'ing cookie values? I don't see how it'd stop hackers from changing cookie values?

You encrypt stuff with a string that you keep secret. That string is needed to decrypt the string.

When hashing you would add a secret string to the value you're hashing before calculating the hash. When validating the content of the cookie you would add the secret string and then compare the calculated hash.

In both cases the "bad guys" would need to know the secret string in order to create a valid cookie value so as long as you're not stupid enough to share it it's pretty secure. Aside from the extra CPU required for encryption the only difference between the two is that with hashing the value you're storing is stored in the cookie in plain text whereas an encrypted value is, erm, encrypted.

I suggest you Google encryption and hashing as these are pretty basic concepts.

-Stut

2008/10/15 Stut <stuttle@xxxxxxxxx>
On 15 Oct 2008, at 15:23, Ben Stones wrote:
I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures
to prevent cookie forging or what not.

You can encrypt or hash the cookies to prevent tampering...

 http://stut.net/blog/2008/07/26/sessionless-sessions-2/

--
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux