Home/ Questions/Q 6190023
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T02:30:46+00:00

Hi folks would really appreciate your help in answering this rather involved question. Please

  • 0

Hi folks would really appreciate your help in answering this rather involved question. Please don’t dismiss me on length, I promise it’s an easy to comprehend read!

When and how should you obfuscate (if at all) $_SESSION and $_COOKIE variables in context to login.php and login_validation.php for the following membership based website?

This membership based website is written in php and uses mysql as its relational database.

login.php

<?php
//Connect to database
$email = $_POST['email'];   //from a text field
$password = $_POST['password']; //from a password field
$password= md5($password);
$stayLoggedIn= $_POST['stayLoggedIn'];  //from a checkbox, value="yes" for checked, value="no" for unchecked

$sql = "SELECT id 
        FROM users
        WHERE email='$email' AND password='$password'";

$query=mysql_query($sql);

if(mysql_num_rows($query)==1){
    $row = mysql_fetch_array($query);
    $id = $row["id"];   
    $encodedID_session= base64_encode("iofj4983rn9dh83$id");
    $_SESSION['id'] =$encodedID_session;

    if($stayLoggedIn== 'yes'){
        $encodedID_cookie=base64_encode("dj02359t5ng842$id");
        setcookie("idCookie", $encodedID_cookie, time()+60*60*24*7, "/");
        setcookie("passwordCookie", $password, time()+60*60*24*7, "/");
    }
 }
?>

He has a file called login_validation.php which goes at the top of every single page of the website (except login.php).

login_validation.php

first it decodes the session and cookie variables if they are set (example for decoding session variable below)

$decodedID = base64_decode($_SESSION['id']);
$array = explode("iofj4983rn9dh83", $decodedID);
$id = $array[1];

Then it does only one of the following:

  • if the session AND cookie are not set it displays the header “You are not logged in”
  • if the session is set, it queries mysql to find the name of the person in the same row as
    his or her id and displays the personalized header “You are logged in,
    welcome Bonzo!”
  • if the session is not set but the cookies are set (ex. user selected
    stayLoggedIn, shut down his computer, and opened up a fresh browser) it queries mysql to find
    the name of the person in the same row as his or her id and displays
    the personalized header “You are logged in, welcome Bonzo!”

The developer has done a few things which I left me a little confused like obfuscating a session variable, or obfuscating two (instead of one) cookie. Also his method of obfuscation using base64 seems vulnerable to threat if someone got a hold of his nonsense strings he appends.

When and how should you obfuscate (if at all) $_SESSION and $_COOKIE variables in context to login.php and login_validation.php for this membership based website?

Thank you, thank you!

EDIT: Just to clarify I did not pay anyone for this code, instead I’m trying to learn php and got this code from a php tutorial which looked like it could be improved.

EDIT 2: The password is now hashed before validation

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You don’t need to obfuscate anything stored in the _SESSION variable. It is not sent to the client, so you can trust it with sensitive information.

    I would recommend that you generate and store a unique authentication token for each logged in user. PHP will maintain the session even after a user has logged out (PHP doesn’t know about “logging in” and “logging out”), so keep the idCookie and store it’s value along with the user id, for example:

    if ($stayLoggedIn) {
    $token = sha256(generateRandomNumber());
    $_SESSION["token"] = $token;
    $_SESSION["userid"] = $id;
    setcookie("authenticationtoken", $token, ...)
}

    When you are verifying authentication check that the “authenticationtoken” cookie matches the stored session variable. The authentication token must be random and never re-used. When a user logs out unset the session’s “token” and “userid” variables.

    The way you have it right now means an attacker can watch the cookies going past over the wire and do a simple reverse md5 lookup (rainbow tables for alphanumeric strings are pretty easy to generate) to obtain a user’s password. The attacker can also easily guess other users’ session ids.

    Remember to use https everywhere to prevent cookie stealing. If you are sending authentication tokens over http then you might as well not bother even checking passwords (think Firesheep).

    Also, and this is important, don’t store cleartext passwords in your database. You should use something like bcrypt (there’s a function for it in PHP) for password storage. If an attacker compromises your database then they have obtained all your users’ passwords. This is A Bad Thing (think Playstation Network).

    As important: Make sure you sanitize user input. Don’t just pass user input straight to the database. You need to properly escape any special SQL characters, otherwise you are vulnerable to SQL injection.

    • 0