PHP Classes
elePHPant
Icontem

PHP Secure Cookie: Store cookies allowing to detect unwanted changes

Recommend this page to a friend!
  Info   View files Example   View files View files (4)   DownloadInstall with Composer Download .zip   Reputation   Support forum (1)   Blog    
Last Updated Ratings Unique User Downloads Download Rankings
2019-03-05 (19 hours ago) RSS 2.0 feedNot enough user ratingsTotal: 189 This week: 106All time: 8,281 This week: 1Up
Version License PHP version Categories
safecookie 1.0Public Domain7HTTP, Security, PHP 7
Description Author

This class can store cookies allowing to detect unwanted changes.

It can set cookie values with a hash value that is computed using a secret salt value.

The class can also retrieve cookies verifying if the current value comes with a hash that is correct giving the secret salt.

Invalid cookies that may have been forged by attackers are discarded.

Innovation Award
PHP Programming Innovation award nominee
February 2019
Nominee
Vote
One way that can be used by hackers with malicious intentions is to somehow alter the values of cookies that are served by Web sites by spoofing values that make Web applications behave in ways that they were not intended.

This class can help avoiding that problem by storing cookie values that have an additional verification hash, so the class can also detect cookie alterations so applications can ignored spoofed cookie values.

Manuel Lemos
  Performance   Level  
Name: Ray Paseur <contact>
Classes: 7 packages by
Country: United States United States
Innovation award
Innovation award
Nominee: 5x

Winner: 1x

Details
class SafeCookie

This Class demonstrates an anti-tamper cookie.

Modern browsers make it somewhat difficult for the casual user to damage a cookie,
but since cookies are part of the HTTP request (and nothing in an HTTP request can
be trusted) it is useful to have a strategy to add a measure of trust to cookies.

This class uses a salted md5() string to make a "mirror" of the cookie value.  Any
change in the value of the cookie will be detected.  In this case the damaged
cookie will be removed and the SafeCookie::get() method will return False.  If the
cookie is shown to be intact, the cookie value (minus the salted digest) will be
returned.

The cookie looks like this:

   cookieValue|salted_md5_digest

To the left of the pipe is the value of the cookie.  To the right of the pipe is
the md5() of the SALTed value.

As long as the SALT string is unknown to the attacker, there is almost no chance
that a tampered cookie will be consumed.

To see the Class in action, install the class script along with the "demo" and
"aux" scripts in the same directory of your web server.  Then run the demo script
and try clicking the links to refresh the browser.

On the first execution of the "demo" script the cookie is not yet present, but
it will be set.  On the second and subsequent execution of the "demo" script you
will see the cookie being returned over and over again.

To see what happens if the cookie is damaged, click the appropriately labeled
link, then go back and refresh the browser window with the "demo" script.  You
will see that the damaged cookie is not returned by SafeCookie::get()
  Files folder image Files  
File Role Description
Accessible without login Plain text file aux_SafeCookie.php Aux. Auxilliary
Plain text file class_SafeCookie.php Class Class Source
Accessible without login Plain text file demo_SafeCookie.php Example Demonstration Script
Accessible without login Plain text file readme_SafeCookie.php Doc. Readme text file

 Version Control Unique User Downloads Download Rankings  
 0%
Total:189
This week:106
All time:8,281
This week:1Up