PHP Classes

PHP Secure Cookie: Store cookies allowing to detect unwanted changes

Recommend this page to a friend!
  Info   View files Example   View files View files (4)   DownloadInstall with Composer Download .zip   Reputation   Support forum (1)   Blog    
Ratings Unique User Downloads Download Rankings
Not enough user ratingsTotal: 290 All time: 7,462 This week: 310Up
Version License PHP version Categories
safecookie 1.0.0Public Domain7HTTP, Security, PHP 7
Description Author

This class can store cookies allowing to detect unwanted changes.

It can set cookie values with a hash value that is computed using a secret salt value.

The class can also retrieve cookies verifying if the current value comes with a hash that is correct giving the secret salt.

Invalid cookies that may have been forged by attackers are discarded.

Innovation Award
PHP Programming Innovation award nominee
February 2019
Number 3
One way that can be used by hackers with malicious intentions is to somehow alter the values of cookies that are served by Web sites by spoofing values that make Web applications behave in ways that they were not intended.

This class can help avoiding that problem by storing cookie values that have an additional verification hash, so the class can also detect cookie alterations so applications can ignored spoofed cookie values.

Manuel Lemos
Picture of Ray Paseur
  Performance   Level  
Name: Ray Paseur is available for providing paid consulting. Contact Ray Paseur .
Classes: 8 packages by
Country: United States United States
Age: 72
All time rank: 2269312 in United States United States
Week rank: 512 Up53 in United States United States Up
Innovation award
Innovation award
Nominee: 5x

Winner: 1x

class SafeCookie

This Class demonstrates an anti-tamper cookie.

Modern browsers make it somewhat difficult for the casual user to damage a cookie,
but since cookies are part of the HTTP request (and nothing in an HTTP request can
be trusted) it is useful to have a strategy to add a measure of trust to cookies.

This class uses a salted md5() string to make a "mirror" of the cookie value.  Any
change in the value of the cookie will be detected.  In this case the damaged
cookie will be removed and the SafeCookie::get() method will return False.  If the
cookie is shown to be intact, the cookie value (minus the salted digest) will be

The cookie looks like this:


To the left of the pipe is the value of the cookie.  To the right of the pipe is
the md5() of the SALTed value.

As long as the SALT string is unknown to the attacker, there is almost no chance
that a tampered cookie will be consumed.

To see the Class in action, install the class script along with the "demo" and
"aux" scripts in the same directory of your web server.  Then run the demo script
and try clicking the links to refresh the browser.

On the first execution of the "demo" script the cookie is not yet present, but
it will be set.  On the second and subsequent execution of the "demo" script you
will see the cookie being returned over and over again.

To see what happens if the cookie is damaged, click the appropriately labeled
link, then go back and refresh the browser window with the "demo" script.  You
will see that the damaged cookie is not returned by SafeCookie::get()
  Files folder image Files  
File Role Description
Accessible without login Plain text file aux_SafeCookie.php Aux. Auxilliary
Plain text file class_SafeCookie.php Class Class Source
Accessible without login Plain text file demo_SafeCookie.php Example Demonstration Script
Accessible without login Plain text file readme_SafeCookie.php Doc. Readme text file

 Version Control Unique User Downloads Download Rankings  
This week:0
All time:7,462
This week:310Up
For more information send a message to info at phpclasses dot org.