PHP Classes

File: readme_SafeCookie.php

Recommend this page to a friend!
  Classes of Ray Paseur  >  PHP Secure Cookie  >  readme_SafeCookie.php  >  Download  
File: readme_SafeCookie.php
Role: Documentation
Content type: text/plain
Description: Readme text file
Class: PHP Secure Cookie
Store cookies allowing to detect unwanted changes
Author: By
Last change:
Date: 2 years ago
Size: 1,606 bytes


Class file image Download
class SafeCookie

This Class demonstrates an anti-tamper cookie.

Modern browsers make it somewhat difficult for the casual user to damage a cookie,
but since cookies are part of the HTTP request (and nothing in an HTTP request can
be trusted) it is useful to have a strategy to add a measure of trust to cookies.

This class uses a salted md5() string to make a "mirror" of the cookie value.  Any
change in the value of the cookie will be detected.  In this case the damaged
cookie will be removed and the SafeCookie::get() method will return False.  If the
cookie is shown to be intact, the cookie value (minus the salted digest) will be

The cookie looks like this:


To the left of the pipe is the value of the cookie.  To the right of the pipe is
the md5() of the SALTed value.

As long as the SALT string is unknown to the attacker, there is almost no chance
that a tampered cookie will be consumed.

To see the Class in action, install the class script along with the "demo" and
"aux" scripts in the same directory of your web server.  Then run the demo script
and try clicking the links to refresh the browser.

On the first execution of the "demo" script the cookie is not yet present, but
it will be set.  On the second and subsequent execution of the "demo" script you
will see the cookie being returned over and over again.

To see what happens if the cookie is damaged, click the appropriately labeled
link, then go back and refresh the browser window with the "demo" script.  You
will see that the damaged cookie is not returned by SafeCookie::get()
For more information send a message to info at phpclasses dot org.