Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a user manipulate cookies?

Tags:

php

cookies

I have a question regarding usage of cookies for standard login purposes. Say my php script saves a cookie into a users computer each time he logs in. The cookie value is say "Mike" after his username at the website. Can that user somehow manipulate that cookie in his browser to change the value to say "Admin" so suddenly he has access to administration of the website?

If this could happen how to solve such security risk?

--

Additionally... What if someone was to copy cookies from my browser, either he would stare at my computer screen and copy cookies and values into his computer or such intruder could steal cookies from my browser via JavaScript.

How is that taken care of?

like image 717
John Doe Avatar asked Jan 16 '13 17:01

John Doe


1 Answers

Yes, that is a security problem, which extends to any information provided by the client.

Cookies are stored on the user's machine. They can be modified in any way. In fact, the cookies can just be created on the fly and sent via several utilities for making HTTP requests. It isn't even a browser problem.

Never trust any data that comes from the client.

like image 118
Brad Avatar answered Sep 22 '22 11:09

Brad