changing cookie value as user//security pages

  • Inito
  • Graduate
  • Graduate
  • User avatar
  • Posts: 223

Post 3+ Months Ago

Im having a conflict at a login network im busy on.


My primary question is if it is able to (as a user) change the value of a cookie. If it is, how hard would it be?
This is from the security side, cause id need to know this to see if i should proceed.

However, i think what ive thought of is a bit inefficient.
I was wondering if someone had the patience to read this and see how i could strenghten it up.

The client wants to have it as a header to the left on the website, so thats why its kinda complicated.

Basically, what im doing is, the user fills in his username and password and clicks submit, the form is sent to another file, which is a quick redirector (actually not quick enough, the address of the file is still showing in the addressbar for like 0.2 seconds).
That file sets 3 cookies, one variable "login" with the value 1, so that the header knows not to show the login fields anymore,
2 the filled in username,
3 the filled in password.
It redirects back to the website (the login header is in include() of the website), this time, the loop
if($login==1 && username && password){}
is entered,

whereafter it connects to the database, and uses
while($members = mysql_fetch_array($members_result)) {}
within this while, theres been checked whether the password and username correspond to the one in the database (every line in the table checks for itself, since im using a while())

the checking for correct username and password goes as following:
if($username==$members['members_username'] && $password==$members['members_password']){}
if the loop is entered, the users options are displayed (also varying of the users level), and $infail is set to 1.

Why? Because, if the loop is not entered, so if the username and password together do not correspond to any in the database, an error is displayed.
However, the filled in username and password can only match 1 of the entries of the database, so it would mean the error would be displayed each time.

Heres the real conflict with this way of doing it:
when the user goes to edit profile, editing everything goes fine, except the password (theyre not allowed to change their username).
You see, the password in the database changes when they click on update, however, the one in the cookies doesnt.
Because the included file (the one that shows the options or login fields) checks everytime if the username and password correspond, this doesnt work. You'd have to login again.

If i try to use an if() in the same edit profile file to edit the cookie when update has been clicked on, it says the output already started on line 13 (<head>). However, i do have it on the total top so i gave up for that.

Or, I could direct it to another page again, just like with the login, to edit the cookie there. Id have to then update it there, but im not sure how fast itll go, since its meant to redirect quickly, and im looking for an even quicker one.



If id set a cookie with the user id instead of the username and password the cookie would never need to be changed.
However, if the user would be able to change the value of that cookie he could change the password of that user.

But all in all, i think it still is a bit ineffecient.


If youve read it to this point id thank you in advance.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 1 post
  • Users browsing this forum: No registered users and 146 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.