User identification using cookies in PHP/MySQL - Common Pitfalls and Conclusion
(Page 3 of 3 )
Naturally, using cookies is not the safest method to protect your pages, since there are pitfalls. Here are some:
- Cookies are not visible to your pages until first reload after you set it
- Cookies must be deleted with same parameters as they were set with
- Cookies can be stolen, their values read, since they are ASCII files
- Cookies can be stored on proxy servers and thus exposed externally to user’s computer
- Not a safest method if user does access your pages through a public computer
- In case user does not logout, cookie remains on his computer until it expires
But, since we are not passing usernames/passwords to cookies, no one can read them and try to login. Using logcodes we ensure somewhat unique identification of your users, and since logcodes are renewed upon each access to your protected pages, it makes it difficult to be stolen, since the thief must steal the cookie, read the value, setup a cookie on his own machine and access your pages, all within the timeframe between two clicks of your real user, or within the timeframe of his idle time.
In case of increased security is required, consider making a javascript that will reload your pages each n seconds and set cookie expiration time to that number of seconds. This will ensure that even if the user is idle, each n seconds his logcode is renewed. The smaller amount of time between two reloads, the more secure the access is. Also, you can combine this method with session-based user id and pass session ID within the cookie too, ensuring cookie cannot be stolen.
Actually, we consider cookie-based user identification to be very secure, except if accessed from a public computer, but a proper logout fixes the problem. Force your users to return and logout if their connections are broken.
Also, you can setup a javascript event handler that calls logout.php when the browser is closed, or removes the cookie manually. But, removing the cookie with javascript exposes your cookie name and parameters in your page’s sourcecode, so keep that in mind. By setting cookie names to some difficult-to-guess names can be an additional boost up to your security.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 29 
