Cookie Security - Array Values: Implode or Serialize?

**Carl** · Dec 29 '05, 01:25 AM

Re: Cookie Security - Array Values: Implode or Serialize?

jody.florian@gm ail.com wrote:[color=blue]
> Hi there,
>
> http://uk2.php.net/setcookie
>
> suggests that for security, implode (correction of explode) should be
> used instead of serialize. Does anyone know why?
>
> I don't need to implement this, I just feel I need to know, for a
> course I'm studying.
>
> Cheers
> Jody
>[/color]

Jody,

It could be due to this:

Hardened PHP - Hardened-PHP

http://www.hardened-php.net/advisory_012004.42.html

PHP is far and away the most popular backend programming language today, with more than 80 websites worldwide taking advantage of PHP solutions. All of the most popular CMS platforms – including WordPress, Joomla!, and Drupal (just to name a few) leverage this technology. It’s flexibility and versatility make it a powerhouse programming language, but […]

see section 6 & 7.

Cheers,
Carl.

**Oli Filth** · Dec 29 '05, 02:05 AM

Re: Cookie Security - Array Values: Implode or Serialize?

jody.florian@gm ail.com said the following on 29/12/2005 00:44:[color=blue]
> Hi there,
>
> http://uk2.php.net/setcookie
>
> suggests that for security, implode (correction of explode) should be
> used instead of serialize. Does anyone know why?
>
> I don't need to implement this, I just feel I need to know, for a
> course I'm studying.
>[/color]

Dunno, but if you have enough data stored in a cookie for
implode()/serialize() etc. to be necessary, then you're probably better
off storing it all server-side, either in a DB or a file, and storing
just a UID in the cookie (like how sessions work).

Storing whole objects/data structures client-side is just asking for
trouble.

--
Oli

**Chung Leong** · Dec 29 '05, 05:25 AM

Re: Cookie Security - Array Values: Implode or Serialize?

Unserialize() in some versions of PHP suffers from a buffer overrun
vulnerability. That's one reason.

Another is that it's easy to write type-dependent code that compromises
security. A while back a vulnerability was discovered in a popular
message forum software--phpBB I believe--that allowed an attacker to
gain administrative access by simply tinkering with the serialized data
inside the cookie. Somewhere in the code there was a string comparison
that goes like:

if($user->password == $admin_password ) {
}

The comparison would occur as expected if $user->password is a string.
If $user->password is the integer 0, on the other hand, something very
strange and bad happen. The value supplied would match nearly all
possible passwords, because PHP's type conversion rules dictate that in
a comparison between an integer and a string, the string would get
converted to an integer first--with the number 0 being the likeliest
outcome.

**Justin Koivisto** · Dec 29 '05, 02:45 PM

Re: Cookie Security - Array Values: Implode or Serialize?

Oli Filth wrote:[color=blue]
> jody.florian@gm ail.com said the following on 29/12/2005 00:44:
>[color=green]
>> http://uk2.php.net/setcookie
>> suggests that for security, implode (correction of explode) should be
>> used instead of serialize. Does anyone know why?[/color]
>
> Dunno, but if you have enough data stored in a cookie for
> implode()/serialize() etc. to be necessary, then you're probably better
> off storing it all server-side, either in a DB or a file, and storing
> just a UID in the cookie (like how sessions work).
>
> Storing whole objects/data structures client-side is just asking for
> trouble.[/color]

Agreed. There may be times where storing a bit of data in a cookie is
quite tempting, but you should keep as much of the data on the server
rather than on a user's computer. Rule #1 in programming: Never trust
the user.

--
Justin Koivisto, ZCE - justin@koivi.co m

Temporarily Disabled | Koivi.com

http://koivi.com

Cookie Security - Array Values: Implode or Serialize?

Cookie Security - Array Values: Implode or Serialize?

Comment

Comment

Comment

Comment