Safer Cookies
Safer Cookies
Encrypt or use Hash client side data (Cookies/Form hiddens).
Setting Cookie with Hash
$
server_side_salt
=
'random string'
;
$
cookie_hash
=
sha1
(
$
user_id
.
$
server_side_salt
)
;
setcookie
(
'MYSITE'
,
$
user_id
.
':'
.
$
cookie_hash
)
;
HTTP Headers
Cookie: MYSITE=23:5ae4cea15a227e781846203737cba11c
Validating
list
(
$
cookie
,
$
cookie_hash
)
=
explode
(
':'
,
$
_COOKIE
[
'MYSITE'
]
)
;
if
(
sha1
(
$
cookie
.
$
server_side_salt
)
!==
$
cookie_hash
)
{
// Invalid cookie.
exit
;
// or error
}
Regarding SHA1 and its integrity
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
http://en.wikipedia.org/wiki/SHA_hash_functions