Comments on: How to Create Totally Secure Cookies

By: Andylei Lei

Andylei Lei — Tue, 11 Jan 2011 09:12:00 +0000

This article is very useful for me because I am a new beginner for PC and do not know anything about the word” cookie”. Now I can use secure cookie and that make me happy. http://www.mac-ipad-converter.org/

By: intel drivers

intel drivers — Thu, 30 Dec 2010 10:04:00 +0000

Your articale is really informative, but a little profound to me.

By: Michael J

Michael J — Fri, 11 Jun 2010 23:59:29 +0000

In your example you used isset($_SERVER["HTTPS"]) to ensure that cookies will only be sent when it is over an HTTPS connection. This will however not work as the this will just except the current setting. Let me explain. If I access the page via HTTP the value for this expression would be false, telling the browser to send cookies over HTTP and when accessed via HTTPS the expression would be true, thus sending cookies over the secure connection.
For HTTP the expression
setcookie( ‘UserName’, ‘Bob’, 0, ‘/forums’, ‘www.example.com’, isset($_SERVER["HTTPS"]), true);
would result to
setcookie( ‘UserName’, ‘Bob’, 0, ‘/forums’, ‘www.example.com’,false, true);
and for HTTPS
setcookie( ‘UserName’, ‘Bob’, 0, ‘/forums’, ‘www.example.com’,true, true);

By: Andte

Andte — Thu, 18 Mar 2010 02:15:18 +0000

Lars, your method is vulnerable to session hijacking.
See: Session hijacking on Wikipedia

By: lace wedding dresses

lace wedding dresses — Mon, 01 Mar 2010 11:31:22 +0000

There were quite a few hacks and sneaky tips that I didn’t know about. Thanks

By: copy xbox 360 games

copy xbox 360 games — Mon, 07 Dec 2009 03:18:33 +0000

hello admin, I found your blog from yahoo and read a few of your other posts.They are awesome. Please keep it up!! _____________________________________ copy xbox 360 games

By: SAS Fire and Security

SAS Fire and Security — Fri, 04 Dec 2009 05:47:04 +0000

Nice Information about cookies,

thanks a lot :-)

By: How to Create Totally Secure Cookies | Benzing Technologies

How to Create Totally Secure Cookies | Benzing Technologies — Fri, 16 Oct 2009 02:08:17 +0000

[...] Tags: cookies, secure cookies, security Originally Posted at Carsonified.com [...]

By: Jay

Jay — Fri, 18 Sep 2009 11:33:11 +0000

The holidays are finished and so is a freshly made jar of those cookies, nice job:)

By: island

island — Sat, 05 Sep 2009 05:27:07 +0000

This article is very useful for me because I am a new beginner for PC and do not know anything about the word" cookie". Now I can use secure cookie and that make me happy. สร้อยไข่ขาว

By: sam

sam — Sat, 05 Sep 2009 02:53:34 +0000

My kids loves cookies and so are we. Thanks for the tips, my wife would be very glad to know this. :)

By: Friday Faves « dalewatkins.com

Friday Faves « dalewatkins.com — Fri, 04 Sep 2009 14:32:52 +0000

[...] Create Totally Secure Cookies Cookies are a great way to store some information for recall across sessions, however, be careful with the information you store on your visitor’s computer. Do you create a secure cookie? [...]

By: Mes favoris du 2-09-09 au 3-09-09

Mes favoris du 2-09-09 au 3-09-09 — Thu, 03 Sep 2009 16:09:23 +0000

[...] Carsonified » How to Create Totally Secure Cookies – [...]

By: Revue de presse | Simple Entrepreneur

Revue de presse | Simple Entrepreneur — Thu, 03 Sep 2009 05:11:56 +0000

[...] How to create totally secure cookies Un petit récapitulatif des différentes manières de sécuriser le contenu d’un cookie. Bien sûr, le conseil à toujours garder en mémoire reste de ne pas sauvegarder d’informations sensibles dans ces fichiers. [...]

By: Jean Marie

Jean Marie — Wed, 02 Sep 2009 14:23:24 +0000

Hi,

using the users remote IP is a bad idea because many users sit behind a NAT-Gateway.

Best regards
Jean Marie

By: solitaire

solitaire — Tue, 01 Sep 2009 09:13:14 +0000

Great explanation of what are cookies, thanks for sharing.

By: Carsonified » How to Create Bulletproof Sessions

Carsonified » How to Create Bulletproof Sessions — Tue, 01 Sep 2009 07:02:03 +0000

[...] the first part of this series we went over how a cookie works and what can be done to secure them. In this section we’re going to go over ways to add additional security to the session beyond [...]

By: Friday Links: 28 August 2009

Friday Links: 28 August 2009 — Fri, 28 Aug 2009 15:05:14 +0000

[...] How to Create Totally Secure Cookies [...]

By: Ansermot.ch » Secure cookies in PHP

Ansermot.ch » Secure cookies in PHP — Thu, 27 Aug 2009 15:17:04 +0000

[...] complete post : How to Create Totally Secure Cookies Share and [...]

By: Sécuriser les cookies | traffic-internet.net

Sécuriser les cookies | traffic-internet.net — Wed, 26 Aug 2009 12:04:47 +0000

[...] How to Create Totally Secure Cookies (0 visite) [...]

By: Ennuyer.net » Blog Archive » Rails Reading - August 26, 2009

Ennuyer.net » Blog Archive » Rails Reading - August 26, 2009 — Wed, 26 Aug 2009 09:48:02 +0000

[...] Carsonified » How to Create Totally Secure Cookies [...]

By: vivanno.com::aggregator » Archive » Sécuriser les cookies

vivanno.com::aggregator » Archive » Sécuriser les cookies — Wed, 26 Aug 2009 09:30:59 +0000

[...] How to Create Totally Secure Cookies () [...]

By: Daily Links for Tuesday, August 25th, 2009

Daily Links for Tuesday, August 25th, 2009 — Tue, 25 Aug 2009 11:31:09 +0000

[...] Carsonified » How to Create Totally Secure Cookies [...]

By: How to Create Totally Secure Cookies | Benzing Technologies | Creative Web Design, Affordable Web Hosting, SEO, Social Media Marketing

Tue, 25 Aug 2009 03:37:22 +0000

[...] Originally Posted at Carsonified.com [...]

By: links for 2009-08-24 .:: [aka щямукюшт] Ozver.in | Озверин

links for 2009-08-24 .:: [aka щямукюшт] Ozver.in | Озверин — Tue, 25 Aug 2009 03:05:18 +0000

[...] Carsonified » How to Create Totally Secure Cookies (tags: security development php usability http reference howto css secure cookies) [...]

By: Bruce

Bruce — Mon, 24 Aug 2009 19:44:36 +0000

I believe Safari 4 also supports HttpOnly on cookies. Finally.

By: tedivm

tedivm — Mon, 24 Aug 2009 17:49:53 +0000

This technique has merit, but there are a few things to consider-

* If you’re primarily using the data server side, it would be better to simply store it in a session. Otherwise, while you’re protected from tampering you’re still open to sniffing of sensitive data and hijacking of cookies.

* Tying it to the user id only helps so much, as the user id won’t be present until the session is already loaded. This would, from the perspective of the hackers, just make the hash another session id. If they can steal the session (and take on the user ID) they’ll be able to steal the other cookies as well.

* If someone logs out all of their cookies are invalidated- this may be intentional, but if you want data tied to a session it should be in the session.

* If you’re using the data client side (javascript) you’re only going to have read only access.

That being said, I really should have touched on this subject, as there are definite cases where it would be useful. Thank you for fixing that discrepancy on my part.

By: tedivm

tedivm — Mon, 24 Aug 2009 17:09:58 +0000

My point wasn’t to try to get people to come back and read more later, its just that the cookie itself is a small part of the session. The next article focused on sessions, and uses a lot of example code, so by the time it was done it seemed big enough to stand on its own (its much longer than this post, for instance).

I definitely understand what you’re saying though, and will keep it in mind for future posts (I am still rather new at this).

By: Lars

Lars — Mon, 24 Aug 2009 13:46:05 +0000

You shouldn’t store sensitive information in cookies. Store the bare minimum, and implement tampering detection like kari or jamie mentions.
Alternatively use an ID and a checksum and store it in a database… E.g.

// To “encode”
$id = 232; // ID to a database record, for instance
$my_secret = md5( “Some secret, eh?” );
$checksum = md5( md5( $id ) . $my_secret );

// To decode:
list( $id, $checksum ) = explode( “-”, $_COOKIE['the_cookie'] );
$my_secret = md5( “Some secret, eh?” );
if ( md5( md5( $id ) . $my_secret ) != $checksum )
{
die( “Tampering detected” );
}

In the database you can store whatever you want.

By: Geert

Geert — Mon, 24 Aug 2009 13:09:21 +0000

Signing cookies indeed is a good idea. The cookie helper of the Kohana PHP5 framework uses a very similar technique. Very clean code and well commented, good to learn from: Kohana_Cookie class.