1

today i finished programming my project. and now i'm trying to find somebugs in my codes. i realize that when i want to change my info (like users) i can edit my user id from tamper data (ad-don to change header data) and i can change my level (from user to admin) via tamper date :/ this code i use for setting cookie 

setcookie('level',$login['level'],time()+120*120*48); setcookie('username',$login['username'],time()+120*120*48); setcookie('uid',$login['uid'],time()+120*120*48);

i use $_COOKIE['uid'] when users try to add comment its come on database just a number (you know that)

and i want to give you this code i use it to start session and start in it every file.

include("cookiesset.php"); ob_start(); session_start(); if($_COOKIE['level'] != 1){ ... }else{ ... }

and this is cookie i have in header 

uid=1; level=1; username=asd; PHPSESSID=ldr48bua487pjmtvohp53tr662; LoginForm=r9imqbnj2csfrmsu50i9kn0q54

ok how i can fix it ? i want to secure my website.

if there is no solution i want to ask.

Improve this question
6
  • 1
    Then, stop using "uid" and level in cookies, create a table like "user_role" or something, then, create a cookie which contains an encrypted key for example sha256('really_big_big_random_string'), stores that value in a database so you can do something like: [key][uid][level][username] in the table (columns) select from that table where the key is the cookie value and then, get the results, so you don't show any important value in the cookie but with fetching them from a table is a little more secure. Commented Jan 17, 2017 at 23:53
  • @Asfo its very good idea. i will try it if there is no other solution Commented Jan 17, 2017 at 23:56
  • You could use an encryption directly in the cookie but still insecure because they can just "reverse" them (and with luck find the value so trade it)...I think is the more secure way if you really need those values, other option is to use SESSIONS if your cookies lives only meanwhile the user is on the site ... Commented Jan 18, 2017 at 0:04
  • 1
    Don't use cookies, use sessions. Commented Jan 18, 2017 at 0:04
  • @Asfo no your first idea is great, and cookie is good because you dont want to login for a long time and i dont know a lot of things about session, i just use session for my control panel with firewall. Commented Jan 18, 2017 at 0:21

1 Answer 1

Reset to default
1

Thanks guys about everything you gave it to me, i try to create a new column have a users key but its want more time to create and editing all files in project, i try to learn SESSION and how its work i found this http://www.w3schools.com/php/php_sessions.asp Its so easy to learn,(in old, i think its not easy)

now i use 

$_SESSION["level"] = $login['level']; $_SESSION["username"] = $login['username']; $_SESSION["uid"] = $login['uid'];

after i checked username and password from database

and this in files

ob_start(); session_start(); if($_SESSION['level'] != 1){ ... }else{ ... }

from tamper data and another tools, 

PHPSESSID=d4i4itbp8p7ri4juvqd690t9a5

just i see PHPSESSID.

Thanks for all of you, everything is great now and big thanks for @Asfo and @miken32 to give me a good advice.

i hope if there is anything wrong in my codes you edit it and helping me :)

EDIT

Thanks for everything but i realise when i delete (d4i4itbp8p7ri4juvqd690t9a5) from PHPSESSID i will have "file path disclosure" bug, i fixed it by put error_reporting(0); after session_start(); and everything will be alright for who want his script without bugs ;)

error_reporting(0); ob_start(); session_start(); if($_SESSION['level'] != 1){ ... }else{ ... }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.