PHP Secure Cookie: Store cookies allowing to detect unwanted changes

Recommend this page to a friend!

Download .zip

Info

Example

View files (4)

Download .zip

Reputation

Support forum (1)

Blog

Links

Ratings				Unique User Downloads		Download Rankings
Not enough user ratings				Total: 292		All time: 7,460 This week: 148

Version		License		PHP version		Categories
`safecookie` 1.0.0		Public Domain		7		HTTP, Security, PHP 7

Description

Author

Ray Paseur

This class can store cookies allowing to detect unwanted changes.

It can set cookie values with a hash value that is computed using a secret salt value.

The class can also retrieve cookies verifying if the current value comes with a hash that is correct giving the secret salt.

Invalid cookies that may have been forged by attackers are discarded.

Innovation Award

February 2019
Number 3

One way that can be used by hackers with malicious intentions is to somehow alter the values of cookies that are served by Web sites by spoofing values that make Web applications behave in ways that they were not intended.

This class can help avoiding that problem by storing cookie values that have an additional verification hash, so the class can also detect cookie alterations so applications can ignored spoofed cookie values.

Manuel Lemos

Ray Paseur

Performance

Level

Name:	Ray Paseur is available for providing paid consulting. Contact Ray Paseur .
Classes:	8 packages by Ray Paseur
Country:	United States
Age:	72
All time rank:	2257	311 in United States
Week rank:	213	18 in United States

Level 1

Innovation award

Nominee: 5x

Winner: 1x

Details

class SafeCookie

This Class demonstrates an anti-tamper cookie.

Modern browsers make it somewhat difficult for the casual user to damage a cookie,
but since cookies are part of the HTTP request (and nothing in an HTTP request can
be trusted) it is useful to have a strategy to add a measure of trust to cookies.

This class uses a salted md5() string to make a "mirror" of the cookie value.  Any
change in the value of the cookie will be detected.  In this case the damaged
cookie will be removed and the SafeCookie::get() method will return False.  If the
cookie is shown to be intact, the cookie value (minus the salted digest) will be
returned.

The cookie looks like this:

   cookieValue|salted_md5_digest

To the left of the pipe is the value of the cookie.  To the right of the pipe is
the md5() of the SALTed value.

As long as the SALT string is unknown to the attacker, there is almost no chance
that a tampered cookie will be consumed.

To see the Class in action, install the class script along with the "demo" and
"aux" scripts in the same directory of your web server.  Then run the demo script
and try clicking the links to refresh the browser.

On the first execution of the "demo" script the cookie is not yet present, but
it will be set.  On the second and subsequent execution of the "demo" script you
will see the cookie being returned over and over again.

To see what happens if the cookie is damaged, click the appropriately labeled
link, then go back and refresh the browser window with the "demo" script.  You
will see that the damaged cookie is not returned by SafeCookie::get()

Files

File	Role	Description
`aux_SafeCookie.php`	Aux.	Auxilliary
`class_SafeCookie.php`	Class	Class Source
`demo_SafeCookie.php`	Example	Demonstration Script
`readme_SafeCookie.php`	Doc.	Readme text file