PHP integration of Cookies : Where security matters

PHP integration of Cookies

PHP integration of Cookies

Would you like to interact with users browser as a developer? cookies stores paths, temporary login details or tracking codes on users browser lets see cookies in terms of security.

What is a cookie?

In simple words cookie is a bit of information that your browser stores on your hard drive when the website ask it do do so 🙂 . This cookie constantly interacts with web server when you visit respective website.

Whether cookies send your private information to web server?

Answer is no. cookies can contain the information that you already sent to a respective website. So you are the responsible for what information you are giving to website. Cookies can not discover information about you.

Cookies are only sent back to the web server that created them (unless your browser has a serious bug). Cookies can’t leak information from a site you trust to a site that you don’t trust.

In context

Cookies are used to track sessions or to store some temporary data related to your website.

A session is a set of accesses that are all from the same person. If a web site that you don’t trust is using cookies for this purpose, they aren’t “spying” on you. If you haven’t sent them information, then they don’t have any idea who you are. They just know that (for example) random ID #23244432 accessed the web site 17 times on Monday, 3 times on Wednesday, and 86 times today. They can track what links random ID #23244432 used when getting somewhere, which may help the web site redesign its layout to be more convenient, or to know where to best put advertisements.

Cookies can also store information that you’ve sent them. For instance, if you shop there, they may store some sort of user id in a cookie so that it is easier to “log in” to that web site on future visits. In this case, they can relate the sessions to you personally. They can also sell that information — but this has nothing to do with cookies: you’ve given them personal information, they can sell it regardless of whether or not they use cookies. If you don’t want them to sell your personal information, I suggest you only do business with reputable web sites, and also make sure to read their statements on the use of personal information. Also, make sure they are running a secure server.

Developers? How to handle cookies?

As I am a PHP lover let us see how we can use cookies in PHP. Risk comes in consideration only when you are saving sensitive information of user in their browser. Any one who is newbie in PHP may think to save users password on users browser or other information like credit card numbers as cookie. But this is really a Bad Practice.

Note: Saving passwords or other secret information on a users browser is a high security risk and the site which is storing such information is considered as a non trusted website.

So here we see how you can save a simple login related information on users browser. Let us create a PHP code for Remember Me functionality of website

Step 1: Create a new field/column in MySQL database named coopass (you can name it as you wish).

Use: This is the temporary password of the user which we are setting on users browser.

Step 2: Set Cookies on users browser. My approach is using arrays as follows


$my_arr = array(); // Considering array

$my_arr[0] = $user; // Username at first location

// Creating a temporary random password
function createRandomPassword() {
$chars = "abcdefghijkmnopqrstuvwxyz023456789";
srand((double)microtime()*1000000);
$i = 0;
$pass = '' ;
while ($i <= 7) {
$num = rand() % 33;
$tmp = substr($chars, $num, 1);
$pass = $pass . $tmp;
$i++;
}
return $pass;
}
$passwordcook = createRandomPassword();
$passwordcook = md5($passwordcook); // Encrypting Password

$res = mysql_query("UPDATE pf_users SET coopass='".$passwordcook."' WHERE id='$userid'"); // Adding temporary password to database
$my_arr[1] = $passwordcook; // Assigning password in array at 1th location

//create the list for the cookie
$cookie_content = "";

foreach($my_arr as $key => $value){

$cookie_content .= $value . "|";} // we are using '|' as a seperator

//trim the last | from the end

$cookie_content = substr($cookie_content, 0, -1);
setcookie("WebsiteCom", $cookie_content, time()+60*60*24*60); // setting cookies

By this way you can save fake/temporary password on users browser as a cookie, also when each time user logs in to your website temporary password changes.

At the end I strongly advice you not to store commercial or financial information such as credit card or bank account numbers as cookies.
Thanks for reading, Happy Coding. 🙂

abhijeet on Facebookabhijeet on Linkedinabhijeet on Twitter
abhijeet
abhijeet
Abhijeet specializes in developing software. A full-stack developer and Entrepreneur, he takes an idea and crafts it into a beautiful product - front to back. He develops on the LAMP Stack (PHP, MVC, Web API, Perl, Python, Azure, AWS, Google Cloud) and utilizes AngularJS and Angular Material for a structured client. Abhijeet is a self-starter with experience working in remote, agile environments mainly focusing on the security constraints. This is the developer, Project Manager and Consultant you are looking for.