PHP Classes

PHP Secure Cookie: Store cookies allowing to detect unwanted changes

Recommend this page to a friend!
  Info   View files Example   View files View files (4)   DownloadInstall with Composer Download .zip   Reputation   Support forum (1)   Blog    
Ratings Unique User Downloads Download Rankings
Not enough user ratingsTotal: 295 This week: 1All time: 7,443 This week: 119Up
Version License PHP version Categories
safecookie 1.0.0Public Domain7HTTP, Security, PHP 7
Description 

Author

This class can store cookies allowing to detect unwanted changes.

It can set cookie values with a hash value that is computed using a secret salt value.

The class can also retrieve cookies verifying if the current value comes with a hash that is correct giving the secret salt.

Invalid cookies that may have been forged by attackers are discarded.

Innovation Award
PHP Programming Innovation award nominee
February 2019
Number 3
One way that can be used by hackers with malicious intentions is to somehow alter the values of cookies that are served by Web sites by spoofing values that make Web applications behave in ways that they were not intended.

This class can help avoiding that problem by storing cookie values that have an additional verification hash, so the class can also detect cookie alterations so applications can ignored spoofed cookie values.

Manuel Lemos
Picture of Ray Paseur
  Performance   Level  
Name: Ray Paseur is available for providing paid consulting. Contact Ray Paseur .
Classes: 8 packages by
Country: United States United States
Age: 73
All time rank: 2240311 in United States United States
Week rank: 131 Up15 in United States United States Up
Innovation award
Innovation award
Nominee: 5x

Winner: 1x

Example

<?php // demo/safe_cookie.php
/**
 * Demonstrate an anti-tamper cookie
 */
error_reporting(E_ALL);

require_once(
'class_SafeCookie.php');

ob_start();
echo
'<pre>';

// Set the cookie name (other values have reasonable defaults)
$name = 'My_Cookie';
$mycookie = new SafeCookie($name);

// First time the cookie will be empty
echo PHP_EOL . "Trying to get() cookie '$name'";
$value = $mycookie->get();
if (
$value) {
    echo
PHP_EOL . "The value of $name is '$value'";
} else {
    echo
PHP_EOL . "The value of $name was not returned";
}

// After setting the cookie value, subsequent HTTP requests will provide the cookie
$value = 'Hello from McLean, VA';
echo
PHP_EOL . "Trying to set('$value') on $name";
$mycookie->set($value);

// Try refreshing the browser or clicking this link to see the cookie being returned
echo PHP_EOL . '<a href="' . $_SERVER['PHP_SELF'] . '">Refresh to see the cookie status</a>';
echo
PHP_EOL;

// Try clicking this link to damage the cookie, then use the browser "back" button to see the effect
echo PHP_EOL . '<a target="remoteDetonator" href="aux_SafeCookie.php?n=' . urlencode($name) . '&v=bogus">Click here to damage the cookie</a>';


Details

class SafeCookie This Class demonstrates an anti-tamper cookie. Modern browsers make it somewhat difficult for the casual user to damage a cookie, but since cookies are part of the HTTP request (and nothing in an HTTP request can be trusted) it is useful to have a strategy to add a measure of trust to cookies. This class uses a salted md5() string to make a "mirror" of the cookie value. Any change in the value of the cookie will be detected. In this case the damaged cookie will be removed and the SafeCookie::get() method will return False. If the cookie is shown to be intact, the cookie value (minus the salted digest) will be returned. The cookie looks like this: cookieValue|salted_md5_digest To the left of the pipe is the value of the cookie. To the right of the pipe is the md5() of the SALTed value. As long as the SALT string is unknown to the attacker, there is almost no chance that a tampered cookie will be consumed. To see the Class in action, install the class script along with the "demo" and "aux" scripts in the same directory of your web server. Then run the demo script and try clicking the links to refresh the browser. On the first execution of the "demo" script the cookie is not yet present, but it will be set. On the second and subsequent execution of the "demo" script you will see the cookie being returned over and over again. To see what happens if the cookie is damaged, click the appropriately labeled link, then go back and refresh the browser window with the "demo" script. You will see that the damaged cookie is not returned by SafeCookie::get()

  Files folder image Files  
File Role Description
Accessible without login Plain text file aux_SafeCookie.php Aux. Auxilliary
Plain text file class_SafeCookie.php Class Class Source
Accessible without login Plain text file demo_SafeCookie.php Example Demonstration Script
Accessible without login Plain text file readme_SafeCookie.php Doc. Readme text file

 Version Control Unique User Downloads Download Rankings  
 0%
Total:295
This week:1
All time:7,443
This week:119Up