On 15 Oct 2008, at 16:04, Ben Stones wrote:
Can you explain to me the benefits of hashing/encrypting/md5'ing
cookie values? I don't see how it'd stop hackers from changing
cookie values?
You encrypt stuff with a string that you keep secret. That string is
needed to decrypt the string.
When hashing you would add a secret string to the value you're hashing
before calculating the hash. When validating the content of the cookie
you would add the secret string and then compare the calculated hash.
In both cases the "bad guys" would need to know the secret string in
order to create a valid cookie value so as long as you're not stupid
enough to share it it's pretty secure. Aside from the extra CPU
required for encryption the only difference between the two is that
with hashing the value you're storing is stored in the cookie in plain
text whereas an encrypted value is, erm, encrypted.
I suggest you Google encryption and hashing as these are pretty basic
concepts.
-Stut
2008/10/15 Stut <stuttle@xxxxxxxxx>
On 15 Oct 2008, at 15:23, Ben Stones wrote:
I've read a few videos on cookie security and it makes sense that
people can
modify cookie values which is a problem I'm trying to figure out to
*try*
and prevent. What I'll first do is at the top of the page that
validates if
the cookie values is in the database, but what my next problem is
they'd use
usernames in the database as the vaues. Are there any preventable
measures
to prevent cookie forging or what not.
You can encrypt or hash the cookies to prevent tampering...
http://stut.net/blog/2008/07/26/sessionless-sessions-2/
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
