Anybody know the proper way to store multiple values in a cookie? Such as saving user information in a register form?

Ok I have just built a quick untested class that will do it for you. Just modify the constants in the cookie to match your environment (replace the salt with a random string preferably consisting of punctuation and alphanumeric characters) and include the class on any page you need to use it.


/**
* How to set a cookie
*/

/**
* 1. Get Secure_Cookie instance
*/
$cookie = new Secure_Cookie();

/**
* 2. Set Properties that you want to be
* passed in the cookie
*/
$cookie->first = 'Foo';
$cookie->last = 'Bar';
$cookie->age = 100;

/**
* 3. Set Cookie
*/
$cookie->set();

/**
* How to fetch cookie data
*/

/**
* 1. Get Secure_Cookie instance
*/
$cookie = new Secure_Cookie();

/**
* 2. Fetch Cookie Data
*/
$cookie->fetch();

/**
* 3. Access Cookie Data Directly
*/
echo $cookie->first; // Foo
echo $cookie->last; // Bar
echo $cookie->age; // 100

foreach ($cookie as $name => $value)
{
echo $value;
}

class Secure_Cookie
{
const SALT = 'Your Secret Here';
const NAME = 'Cookie Name';
const EXPIRES = 12009;
const PATH = '/';
const DOMAIN = '.example.com';

public function set()
{
$serial = serialize($this);
$hash = sha1($serial . self::SALT)

return setcookie(self::NAME, base64_encode("{$hash}_$serial"), time() + EXPIRES, self::PATH, self::DOMAIN);
}

public function fetch()
{
if (isset($_COOKIE[self::NAME]))
{
list ($hash, $serial) = explode('_', base64_decode($_COOKIE[self::NAME]));

if ($hash == sha1($serial . self::SALT))
{
foreach (unserialize($serial) as $property => $value)
{
$this->property = $value;
}

return true;
}
}

return false;
}
}

hmm didn't work for me. Gave me a blank screen.

A simple way to do it would be to store your variables to an array. This array can be stored to a cookie by using the serialize() function.

When reading the cookie/array back into your environment, use unserialize() to convert the cookie value back to its original array state.

For security purposes (so the end user can't change sensitive values of the cookie i.e. user permissions, user id, etc) you should hash the value of the serialized array and a salt together and then store that in the cookie as well. Then upon retrieval, hash the serialized array with the salt the same as when setting it and compare it to the hash in the cookie. This is what my previous code does. Not near a development environment at the moment so someone else may be able to see what needs fixing in my code ;)

someone else may be able to see what needs fixing in my code ;)You should change the class name to insecure_hashed_cookie() otherwise someone might really believe it is secure.

Secure and cookies are antonyms, in my book.

Saludos de Barajas...

Thanks for the posts. I'll see what I can do.

Another question. If i'm creating a register page should I send that information to another page to do the checking or should I send it back to the same page? Since cookies require a page refresh, there's a problem with the delay of the info.

You should change the class name to insecure_hashed_cookie() otherwise someone might really believe it is secure.
Could you please point out the insecurities of the method I explained previously?

If i'm creating a register page should I send that information to another page to do the checking or should I send it back to the same page? Since cookies require a page refresh, there's a problem with the delay of the info.

There's no real reason not to send it back to the same page/script. If you can avoid using cookies (especially in a critical function such as user registering) you should to allow access to clients that do not accept cookies.

Could you please point out the insecurities of the method I explained previously?It's just choice of words I was commenting on, not the code. Secure is a trilogy of confidentiality, integrity and availability. Your example is producing signed plaintext, which maybe be tamper proof but is certainly not secure in the above sense.