0

I'm trying to save an array into a cookie, in a serialized manner. So what I do is this:

 $serial_auth = serialize($_SESSION['auth']);
 setcookie("auth_cookie", $serial_auth , 2592000 + time());

and in the next page I'm trying to use this data like this:

if(isset($_COOKIE['auth_cookie']))
{
$_SESSION['auth'] = unserialize($_COOKIE['auth_cookie']); //but it returns an empty array.
}

now the strange thing is the whole thing works in my localhost, but it does not work on 000webhost site.

and a note: when I try to echo those, I get this:

$_SESSION['auth'] = 
Array ( [status] => ok [userid] => 1 [username] => user11 [visiblename] => user11 ) 
SERIALIZED =
a:4:{s:6:"status";s:2:"ok";s:6:"userid";s:1:"1";s:8:"username";s:6:"user11";s:11:"visiblename";s:6:"user11";}

This may be a PHP configuration issue, but I would like to learn if there is a way for this, without changing any PHP configuration. Thanks for any help.

void
  • 1,876
  • 8
  • 24
  • 30
  • have you checked that the cookie is set at all? (thinking about "network issues" like cookies not available on subdomain or cross domain stuff) – herrjeh42 Apr 07 '13 at 19:57
  • yes, isset() returns true, but the cookie is empty.. – void Apr 07 '13 at 21:36

1 Answers1

0

This has severe security drawbacks and shouldn't be done.

An attacker can set the cookie value to anything, including serialized objects. These objects may execute code when recreated. So an attacker may execute code on your machine by sending you a properly crafted serialization string! One cannot want attackers to be able to do this.

See the warning at the bottom of this page: http://www.php.net/manual/en/function.unserialize.php

The second thing is: Why the hell do you need the authentication info in a separate cookie, and what is connected with it? What would an attacker be able to do if he changes any of the values, especially the userid or the status? I assume he might gain access to things he shouldn't be able to.

Sven
  • 69,403
  • 10
  • 107
  • 109
  • Well in this case s/he can only mess up with the game's info. But anyway, I'm trying to save the login state so the user does not enter their un/pw everytime they visit the site. isn't this what cookies are for? (I am asking to learn, not rhetoric :) ) thanks for your help ! – void Apr 07 '13 at 21:36
  • To save a login, create a random value (as random as you can get it) and save it both in the cookie and in your user database. You can now compare either username and password on login, or this random value. Both grant access. – Sven Apr 07 '13 at 23:03
  • check out this posting on more information how to implement a secure "remember me" system: http://stackoverflow.com/questions/3128985/php-loginsystem-remember-me – herrjeh42 Apr 08 '13 at 06:18