If you're not a web application programmer, you're not going to know exactly how secure or insecure web browser cookies are. If you're relying on someone who claims to be an expert at developing web applications, don't let him or her feed you a line about how web browser sessions are more secure than cookies or vice-versa. I have spent the last couple of days trying to come up with 100 percent secure cookies and sessions and I couldn't do it without employing SSL. Now, since I was doing this with PHP and not with any other scripting language, I can only tell you how to work with cookies and sessions with PHP.
Web Browser Cookies
Unless you're doing something silly, even sessions use cookies. Every session uses a cookie unless you have that feature turned off. If you're doing it that way, you may as well not even use sessions and just carry the information via query strings in the first place. WordPress admin uses query strings to handle the state, not sessions, and that's perfectly fine. Those query strings are behind a login and the general public doesn't get to see them.
Unless you're connected through SSL (HTTPS vs. HTTP), your cookies are going to be transmitted as plain text between the web server and the web browser. A packet sniffer can intercept and capture complete cookies. If a "login" cookie is intercepted, the hacker can use it to take control of the website in question. You can mitigate the situation by requiring a second form of authentication. One way is to require web server authentication as well as login credentials (which can get messy). In any case, you should never transmit user names or passwords as plain text through any kind of cookie. Encrypting the value of the cookie (decrypting it on the server side) is the best way to do that, but you can also do it by comparing credentials against one or more hashed strings stored on the server. Using PHP's "mcrypt" functions is not only the best way, it's the easiest way.
Still, you're at the mercy of a connection between the web browser and the web server which isn't secure. Even if you employ SSL, you still have avenues that can be attacked if you don't use regular cookies or session cookies in the right way.
Cookie Parameters
The last two parameters of each cookie, as it's created, contain important flags. The next to the last one is the secure flag. If set to "true" or "1", the cookie will not be transmitted if you're not on an SSL connection. As I've investigated cookies sent from secure sites, you'd be surprised at how many don't even bother to set this flag.
The last parameter is the "HTTPOnly" flag. If set to "true" or "1", the web browser will not allow that cookie to be read by anything other than JavaScript and server-side scripting languages. Again, some secure sites don't even bother with it.
With sessions, you have to use three functions, session_name(name), session_set_cookies_params(parameters), and then session_start(). With regular cookies, it's just setcookie(parameters). It's easy to understand why someone might think that session cookies can't be set up the right way, but that someone shouldn't be a web application developer.
It's not hard to stay up-to-date when it comes to web security and if I know these things, then the administrators of secure, commercial websites should know them.
Unlikely doesn't mean Impossible
The common train of thought among web programmers right now is that sure, browser cookies are insecure, but it's unlikely that any hacker would take the time to intercept them when there are easier ways to break into websites. "Unlikely" doesn't mean you're secure. Hackers go after targets of opportunity before other targets but that doesn't mean you're not vulnerable. What if a hacker just doesn't like what you've written on your website?
SSL connections aren't available to everyone and even if they were, it's a good idea to make frequent backups of your data. If you're using WordPress, for example, you need to back up everything but the basic web application itself, including the database and theme templates. If you do get hacked, having a current backup can prevent a complete loss of data.
Similar Articles:
- How to make Web Browser Cookies more Secure
- Why you should never use Web Browser Cookies to Stay Logged in
- How to Get a Free Single Domain Validation SSL Certificate
- Unhackable? Nothing is Unhackable
- How to Detect if JavaScript is Enabled in PHP
This article is published as: Web Browser Security – Cookies and Sessions
RT,
Is there a good WP plugin for automatic backups, including images and text? And, what if hackers gain control of your website somehow… would you lose your Google standing at all?
Thanks
I honestly haven't found one that backs up everything. I use WP-DBManager for automatically backing up the database, but I manually back up the wp-content directory periodically. The only other files I keep backed up are the .htaccess and the wp-config.php in the root. It's a pain to do it manually. I've heard of BackupBuddy, but I don't like their membership scheme.
Oh, I forgot to answer the last question. It depends on what gets hacked and how long it takes for you to spot it and fix it. Generally, anything that gets corrected within 24-48 hours may temporarily affect standings but should bounce back quickly. If it sits in a hacked state for like a month, then you'll definitely have a hard time getting any rankings back.
Sam,
There is a WP plugin, WP-DB-Backup, that I think does what you require.
I don't know near as much about this as RT does, but isn't it is best to have your host do your backup? My host backs up daily, and then separately weekly and monthly. So even if the daily backup is corrupted somehow I can easily go back to the weekly one.
Spot recently posted..The World’s Worst Dog Gadgets & Products
Some hosts charge extra for backups or "snapshots". If they don't, then yes, that's the best way.
I wouldn't dream of asking my host to do my backup for me, but my situation is different than most.
MrCorey recently posted..Languishing
Thanks guys. Appreciate it.
It's definitely better to be safe than sorry.
Backing up WP files and database is a basic thing that most of the time, newbie bloggers, like me often forget. I remember the last time my blog was hit by a malware and I have to undergo such a painful and time consuming cleansing. If only I do have a backup, I can easily rewrite those files in a minute or so.
Ron recently posted..Dora Games – Dora The Explorer Fun Facts And Trivia
It's always ideal to join a host company that performs weekly backup.
I don't know much about this as RT if the daily backup is corrupted somehow I can easily go back to the weekly one.