in reply to Trouble with cookies

Your login implementation is absolutely horrible, to say the least. You do realize that anybody can provide your website with any cookie value he or she wants, right? So, all I have to do is manually send a "loggedIn=true" cookie to this page of yours, and I will have full administration access.

You need to come up with a better 'login' scheme, perhaps using sessions, so that you can verify that the person providing the cookie has the proper permissions to do so. In any case, don't leave it like this, using a simple true/false value to determine who gets administration provileges.

Replies are listed 'Best First'.
Re^2: Trouble with cookies
by superfrink (Curate) on Jan 15, 2005 at 03:06 UTC
    What saskaqueer is getting at is that it is easy for someone familiar with HTTP and CGI to tell your CGI that they are logged in. We even see shopping cart tools on sites that pass the item's price from page to page like that. This way of doing things actually happens rather often and you can see why it's a problem.

    The general solution to this problem is to only store a reasonably hard to predict number in the cookie. When the cookie comes in with a request your code has to lookup that number in a database or a file (often named something like "/tmp/session_" . $number ). Then the database or file contains the actual information like the login name, etc.

    I recommend reading How to remember who is logged in... before building too much more of your system.
[reply]
[d/l]

In Section Seekers of Perl Wisdom