- Impact
- 31
Another quick tutorial I decided to write not so long after my last one. A question (or comment really) I always here is, "Why do you use cookies? They're so insecure."
Even though cookies are clear text and can be easily altered, this is not necessarily true. If your code checks in a somewhat redundant fashion, you should have no security issues at all!
Well, let's start with a functions.php file to create the login/logout functions and we'll work our way from there
This is more of an intermediate tutorial so I'll be assuming you know the basics of PHP at the bare minimum. So, what we'll do here (examine the code to figure out exactly) will be calling the cookie and during our "check" function will be checking the cookie redundantly against the database, etc.
functions.php
Here's the index.php file to make this all come together a little bit.
index.php
To test this script, use this simple database.sql file for the database structure used here:
Well if there are any questions or anything, just let me know. This is just a basic overviewing kind of assuming a lot from you guys :P so contact me with anymore questions!
-RageD
Even though cookies are clear text and can be easily altered, this is not necessarily true. If your code checks in a somewhat redundant fashion, you should have no security issues at all!
Well, let's start with a functions.php file to create the login/logout functions and we'll work our way from there
This is more of an intermediate tutorial so I'll be assuming you know the basics of PHP at the bare minimum. So, what we'll do here (examine the code to figure out exactly) will be calling the cookie and during our "check" function will be checking the cookie redundantly against the database, etc.
functions.php
PHP:
<?php
/**
* Secure Cookies Tutorial by RageD
* (C) 2008 RageD
*
*/
if(!defined("IN_SCRIPT"))
{
print "Unauthorized Access";
exit;
}
class Cookie
{
/**
* Error variable...
*
*/
var $err = '0';
/**
* Constructor :)
*
*/
function __construct()
{
// I normally code a MySQL connector function in my scripts which would
// work like $this->GLOBALVAR->connect();
// But since this is a snippet, we'll just be using the basics
mysql_connect('localhost','USER','PASS');
mysql_select_db('DATABASE');
// See if we have any errors connecting...
if(mysql_error())
{
$err++;
}
// Report errors
if($err > 0)
{
print "We've encountered a MySQL Error!<br /><br />".mysql_error();
exit;
}
}
/**
* Login function, stores cookies, etc.
*
* @param $name
* @param $pass
* @bool $enc (true/false)
*/
function login($name,$pass,$enc='true')
{
// Convert pass to md5 if encryption enabled. By default, it is.
if($enc == true)
{
$pass = md5($pass);
}
// Now, let's continue! Query #1: Finding information :)
$query = "SELECT * FROM users WHERE name='".$name."' AND pass='".$pass."' LIMIT 1;";
$result = mysql_query($query);
// Make sure the information given is valid
if(mysql_num_rows($result) == 0)
{
print "Uh-oh! Incorrect login information.";
exit;
}
// Passed the test, now set it...
setcookie("PRACTICE[name]",$name, time()+3600); // Define the cookie. Let it expire after an hour
setcookie("PRACTICE[pass]",$pass, time()+3600); // This is why encryption is recommended stores pass
return;
}
/**
* Logout function
*
* Deletes cookies :)
*
*/
function logout()
{
setcookie("PRACTICE[name]","", time()-10); // Send the cookies back, they forgot the milk! :(
setcookie("PRACTICE[pass]","", time()-10); // No, seriously. The time()-10 means they expired 10 seconds ago
}
/**
* Check function
*
* Finally, the security comes into play :)
*
*/
function check()
{
// Make sure a cookie is set too xD
if($_COOKIE['PRACTICE']['name'] AND $_COOKIE['PRACTICE']['pass'])
{
// Redundancy is beautiful *tear*
$query = "SELECT * FROM users WHERE name='".$_COOKIE['PRACTICE']['name']."' AND pass='".$_COOKIE['PRACTICE']['pass']."' LIMIT 1;";
$result = mysql_query($query);
// Check.. Grr.. They tried to pull a fast one :-| or something bugged?! :(
if(mysql_num_rows($result) == 0)
{
print "Session Expired.";
$this->logout();
exit;
} else {
if($_COOKIE['PRACTICE']['name'] AND $_COOKIE['PRACTICE']['pass'])
{
print "It worked!"; // Probably can comment this out :)
}
}
}
}
}
?>
Here's the index.php file to make this all come together a little bit.
index.php
PHP:
<?php
/**
* Secure Cookies Tutorial by RageD
* (C) 2008 RageD
*
*/
// Script security :)
define("IN_SCRIPT", true);
require_once("functions.php");
// Define $session var for use of the "Cookie" class
$session = new Cookie;
$session->login("USER","PASS","false"); // Login :)
$session->check(); // Check
print "<br /><br />Let's print our cookie information:<br />Username:
".$_COOKIE['PRACTICE']['name']."<br />
Password: ".$_COOKIE['PRACTICE']['pass']."";
/**
* I understand there are better ways to implement this into a script
* However, my intent was to show the basics so people understand how
* it all works. Other uses of the "Cookie" class (defined as $session)
* are below:
*
* $session->check(); // Will check cookies against DB
* $session->login(USERNAME,PASSWORD,"true/false") // Enc should be
* either true or false. "True" recommended
* $session->logout(); // Will obviously log a user out.
*
*/
?>
To test this script, use this simple database.sql file for the database structure used here:
Code:
CREATE TABLE users (
`id` BIGINT(10) NOT NULL AUTO_INCREMENT,
`name` VARCHAR(32) NOT NULL,
`pass` VARCHAR(32) NOT NULL,
PRIMARY KEY (`id`)
);
Well if there are any questions or anything, just let me know. This is just a basic overviewing kind of assuming a lot from you guys :P so contact me with anymore questions!
-RageD