Problem of secure connection with PHP and Mysql with session and cookie

Hi! I am trying to make a connection which gives the possibility to record the connected session. The typical "Remember me on this computer". To start a session as soon as you open the page even if the browser has been closed.

I tried to do this by creating a secure cookie which is saved as follows:

public function checkInicioDeSesion($email, $contrasena, $recordarSesion){
        $tiempo_inicio = microtime(true);

        $contador = 0;
        $sql = "SELECT * FROM $this->TablaDb WHERE EMAIL=:email";

        $resultado = $this->Conexion->prepare($sql);

        $resultado->execute(array(":email"=>$email));

        while($registro = $resultado->fetch(PDO::FETCH_ASSOC)){
            echo "

Email: " . $registro('EMAIL') . " | Contraseña: " . $registro('CONTRASENA') . "

"; if(password_verify($contrasena,$registro('CONTRASENA'))){ $cliente = new Cliente_Modelo(); $cliente->setIdCliente($registro('IDCLIENTE')); $cliente->setEmail($registro('EMAIL')); $cliente->setContrasena($registro('CONTRASENA')); $cliente->setReloginCliente($registro('RELOGIN_CLIENTE')); $cliente->setNombreCliente($registro('NOMBRE_CLIENTE')); $cliente->setApellido1($registro('APELLIDO1')); $cliente->setApellido2($registro('APELLIDO2')); $cliente->setNifNie($registro('NIF_NIE')); $cliente->setTipoCliente($registro('TIPO_CLIENTE')); $cliente->setTelefono1($registro('TELEFONO1')); $cliente->setTelefono2($registro('TELEFONO2')); $cliente->setIdCliente($registro('IDCLIENTE')); $contador++; } else{ echo "
";
                var_dump(password_verify($contrasena,$registro('CONTRASENA')));
                echo "

";
}
}

$ refer = $ _SERVER (& # 39; HTTP_REFERER & # 39;);

if ($ counter> 0) {

if (session_status () == PHP_SESSION_NONE) {
//chased "

There is no session. I will start now.

";
session_start ();
} other {
//chased "

A session already exists.

";
}

$ _SESSION (& # 39; Client & # 39;) = $ client-> getClientName ();
chased "

You have successfully logged in!

Welcome, ". $ _SESSION (& # 39; Client & # 39;)."!

";
print_r ($ _ COOKIE);
if ($ Remember Session == true) {
$ this-> setRelogin ($ client-> getEmail (), $ client-> getContrasena (), $ client-> getIdCliente ());

chased "

A cookie has just been created which will last 1 year.

";

/*chased "

Content of the loginCliente cookie: {$ _COOKIE (& # 39; loginCliente & # 39;)}

"; * /
}
header ("refresh: 10; url = $ refer");

$ end_time = microtime (true);
echo "Time spent:". ($ end_time - $ start_time);
} other {
if (session_status () == PHP_SESSION_NONE) {
//chased "

There is no session. I will start now.

";
session_start ();
} other {
//chased "

A session already exists.

";
}
chased "

An error occurred while connecting!

Please make sure you have entered the email and password correctly.

";
header ("refresh: 5; url = $ refer");
session_destroy ();
}
}

The setRelogin function creates a secure coookie which it also saves in the database:

private function setRelogin($emailcliente, $contrasenacliente, $idcliente){
        $combinacionRelogin;
        $EmailCifrado = password_hash($emailcliente, PASSWORD_DEFAULT, array("cost"=>15));
        $contraCifrada = password_hash($contrasenacliente, PASSWORD_DEFAULT, array("cost"=>15));

        $combinacionRelogin = $EmailCifrado.$contraCifrada;

        $combinacionSeguraRelogin = password_hash($combinacionRelogin, PASSWORD_DEFAULT, array("cost"=>15));

        setcookie("RLID", $combinacionRelogin, time()+60*60*24*365, "https://es.stackoverflow.com/");

        $sql = "UPDATE $this->TablaDb SET RELOGIN_CLIENTE=:ReloginCliente WHERE IDCLIENTE=:IdCliente";

        $preparar = $this->Conexion->prepare($sql);

        $preparar->bindValue(":ReloginCliente", $combinacionSeguraRelogin, PDO::PARAM_STR);
        $preparar->bindValue(":IdCliente", $idcliente, PDO::PARAM_INT);

        $resultado = $preparar->execute();

        if ($resultado) {
            echo "

¡Se ha actualizado correctamente el cliente!

"; } else { echo "

¡Ha habido algún error intentando actualizar el cliente!

"; } }

The problem arises when I try to connect with the session recording option. Apparently it does everything well. If I close the tab and open the page in another new tab, nothing happens. but if i close the browser it tells me it can't find $_SESSION('Cliente');

The function that tries to connect with the cookie is:

public function checkRelogin(){

        $tiempo_inicio = microtime(true);

        if(isset($_COOKIE('RLID'))){
            $sql = "SELECT * FROM $this->TablaDb WHERE RELOGIN_CLIENTE=:ReloginCliente";

            $preparar = $this->Conexion->prepare($sql);
            $resultado = $preparar->execute(array(":ReloginCliente"=>$_COOKIE('RLID')));

            //$registro = $resultado->fetch(PDO::FETCH_ASSOC);

            echo "
";
            echo "Edsgoigfoi";
            var_dump($resultado->fetch(PDO::FETCH_ASSOC));
            echo "

";

/ * if ($ record) {
chased "

";
                echo "el entone ";
                var_dump($registro);
                echo "

";
} * /

while ($ register = $ result-> fetch (PDO :: FETCH_ASSOC)) {

$ client = new Client_Model ();

$ client-> setIdClient ($ record (& # 39; IDCLIENTE & # 39;));
chased "

Client ID: ". $ Client-> getIdClient ()."

";
$ client-> setEmail ($ registration (& # 39; EMAIL & # 39;));
$ client-> set Password ($ register (& # 39; PASSWORD & # 39;));
$ client-> setReloginCliente ($ register (& # 39; RELOGIN_CLIENTE & # 39;));
$ client-> setClientName ($ record (& # 39; CLIENT_NAME & # 39;));
$ customer-> setLastname1 ($ registration (& # 39; LASTNAME1 & # 39;));
$ customer-> setLastname2 ($ registration (& # 39; LASTNAME2 & # 39;));
$ client-> setNifNie ($ registration (& # 39; NIF_NIE & # 39;));
$ client-> setTipoCliente ($ register (& # 39; CLIENT_TIPO & # 39;));
$ client-> setTelefono1 ($ register (& # 39; TELEPHONE1 & # 39;));
$ client-> setTelefono2 ($ register (& # 39; TELEPHONE2 & # 39;));
$ client-> setIdClient ($ record (& # 39; IDCLIENTE & # 39;));

chased "

Welcome back, {$ customer-> getClientName ()}!

";

// return $ client;
}

$ end_time = microtime (true);
echo "Time spent:". ($ end_time - $ start_time);

} other {
chased "

The RLID cookie does not exist.

";
}
}

Apparently, the same is not saved in the cookie as in the database … The result of the cookie is 120 characters but in the database, in phpmyadmin (with mariadb, by the way, I don't know if this will have to do), this shows me less, saying when you place the mouse over that the original is 60 characters (and that I have it as a varchar with a capacity of 255 ).

Greetings!

web – Can Javascript replace an HTTPOnly cookie?

Can Javascript overwrite or delete an HTTPOnly cookie?

In more detail: let's assume that the user's browser has a cookie for example.com with the HTTPOnly flag set, for example session=552..e0. Suppose the user visits a page on example.com. Can the Javascript running on this page replace the cookie with a new cookie that does not have the HTTPOnly cookie flag set? Will this effectively delete the existing HTTPOnly cookie? Can I count on browsers to avoid this?


Research I have done: the Google browser security manual says:

no specific thought has been given to prevent JavaScript from overwriting httponly cookies

but I know these pages are quite old at the moment, and this quote is not entirely self-explanatory about what is possible. A table on the same page indicates that on MSIE, Firefox 3, Opera and Chrome, Javascript cannot overwrite HTTPOnly cookies, but Safari and Android browsers can – but again, this is a very old resource. Mozilla's documentation is unclear on this point.

cookie – GDPR: Check if the user is subject to the conditions of the GDPR

I am a little confused as to the appropriate way to detect if a user falls under the laws of the GDPR. Most websites use IP geolocation for this purpose, but what if the user travels while visiting the website and is not asked for consent, but is asked Then he returns to the EU?

I'm asking this question because I'm wondering if storing a cookie indicating that the user is NOT from the EEA would be GDPR compliant so the website doesn't do all the GDPR logic slowing the website down for NON-EEA users? Or at least by remembering for the duration of the session (session cookie) that the user's IP address was not from the EEA. Or is IP EEA verification necessary for each page load (then the question in the first paragraph remains)?

I know the option is to just show GDPR consent to all users, but I don't want to spam them with popups and give them a slower website because of all the extra logic needed to control all of them. the functions of the website that the GDPR affects.

Are there privacy and cookie considerations when using the Google Books API?

I am currently developing a website that uses the Google Books API to display book titles.
For test purpus, I will rely on the Google API before moving on to another.

I want this service to be as free of cookies as possible. With the Google Books API, I already have seven.

To be completely transparent with my users, what should I warn them about? Cookies, tracking, energy costs related to the use of such an API?

javascript – Cookie to display the modal window only once

yesterday late at night i managed to using a crack on this page to finish setting up a modal window so that it would fire automatically when Entering a site, I use it for information purposes for my clients and now I find that every time you enter the main page, the modal is triggered … so, I wanted to ask you for help with a solution (COOKIE) to give you a little time before taking the photo, or that while you are browsing, you will no longer be photographed, until ; they close the page and open it again.
Thanks in advance.

How an attacker could exploit an xss in a cookie in the following scenario

In one of the recent penetration tests, I encountered an xss vulnerability in a cookie.
The situation is as follows.

The web application uses the cookie to store the current URL. Once the user switches to another functionality of the application, the cookie information is placed on the website as a link.
The links created are only valid for the current session.

So, for example, by manually setting the cookie as follows Cookie: key=fooXbar results in bar where the foo part is not validated but the bar part is.

Thus, during the manual manipulation of the cookie, there is no validation on the foo part and all script is executed. However, to make it a successful and valid attack, the xss must be served via the actual URL as described above. But the cookie is then set via javascript using escape(document.location.query); the escape() seems to rule out the possibility of making this workable successfully. (for example. ">< bECOMES %22%3e%3c)

So, would there still be a possibility to inject xss via the url so that it is properly included and executed? (Assuming that there are no other vulnerabilities that could help exploit this.)

For now, this would be considered a low result due to the circumstances described. So any other comments or insights are greatly appreciated.
THX

session management – How to safely configure a cookie on another subdomain?

I have a microservice app. hub.example.com handles authentication. When a user logs in, I need to set a cookie learn.example.com What is a safe way to fix this? I know some approaches:

  • hub activate cookie example.com It works, but the cookie spreads to other subdomains. Also a risky subdomain like lab could set the cookie.
  • learn provides a setCookie controller. The hub returns a redirect (or possibly a different mechanism) to learn/setCookie?session=123 It works, but any area (even evil.com) can use the controller.
  • the setCookie the controller could check Origin and only allow hub. I'm not sure what the consequences are for usability and security.

Any suggestion on this subject would be greatly appreciated.

transactions – What do sigscript and cookie mean?

I tried to use the R scanner from the following link https://github.com/ca333/rng-scanner/blob/master/rscan.py, I got results like this

Bitcoin Address : 3EZ5yV5FARDqEZTXzwWNt33XLVhv7hqAS2
R: 09a8bcef1c9f806b7ba1f6f07d2ac45469a0e860fb14e3e151ce1e710483
TxId : 9ae7ce79fa8501dd92ade347fae7c1737ccefa6db204a2fae485634c265d5494

then I open the transaction link and I see the sigscript and the witness of the transaction

https://www.blockchain.com/btc/tx/9ae7ce79fa8501dd92ade347fae7c1737ccefa6db204a2fae485634c265d5494

What do sigscript and witness to the transaction mean? Why are the signature and witness forms different from the transactions below?

https://www.blockchain.com/btc/tx/c525f9a78b92a1082ef690ef538c803fa4ed2f4b1c008a8effc3cba3ac6773d3

Bitcoin core – Bad cookie error in P2SH-P2WSH

I managed to create a working P2SH 2-of-3 multisig contract, that is, I can create addresses, send them parts and spend the outputs. Now I would like to transition from this solution to a P2SH-P2WSH, but I hit a catch.

Here is the HEX of a transaction:

01000000000102a34c065d1e389dbcb3edc34f611b719b7d3b691438dc915622f9e91652fd33b001000000220020384e512d8897924df63814aa332ee71a3600635268ecb3d984acf87a9e6141ecffffffff6fa82857ccb85ee4b48c00c11cfd59442a612cd8733741b11a70823301a2bf7e0000000022002095032074938de75c626ce882f6bf8ef48eec88d621772eee2de4996662ce9baeffffffff0300b4c4040000000017a9142a702b38c86db7d3bddf61f233af88aa2f0482b887801d2c040000000017a91428fe391e1ea27877bed496146a990bfcbbf0f50987df69f9020000000017a9145caf8cd6b560c11f6801e370333ed693764c8e4f8704004730440220491dcd2ef56238c45caace982bb6a8546172d622f5b9565fc6d4b044b96536e5022069ca7dae081c515d53cbf2366f258b224618a1e13921769686a26e070e3c4b4e01473044022039f3fda390f73f00c9f5d2ae358c915d291a239d13c84c1fcbd2f5fc9f3b0916022051e83a3d0154255907153d76888e977510821640258f39fe87282dc54a34a893016952210245c1385d4870baee4d5597654019e89930d9e8f42783fe5c57e1551bf81456442102cb3be5420ea834bce0b4e71ca717c199b315eb97c8e60a32f368e0d10af1023a21034abc8a0a8f62e8201f67796a2da3dc616609b82b246a1db4daba237354ce407e53ae0400483045022100e9184b1d52edec1e46162093406bcb73510254b222cb1ee04e20756c870b58e1022078127ec954ada7bf65403abac670b36dbdbba784ccde3a38ea435766f8c9c08d0147304402200678d5e35a599d73b15becba0935c60237a0b0a052736e3becf8ee975f15689d0220374b84b7842d698ba4379d12f98f10fd3141d4a4983ee136ad04cc527d35e1f9016952210208f65530fed9457996ac9bf6c3747fad3f1a362a64685378b81b4d1fa45653c62102fd0bcce6190272fd49a28b585ebec2b9fe02b5905c69260edfaaec098908ea4e2103f14ff5e9415a56e2249ef28902f0fbfd03d969f42dfdcc2f7f58adb45dbc62b453ae00000000

The error I get when trying to use the sendrawtransaction of the RPC client is as follows:

{"result":null,"error":{"code":-26,"message":"bad-witness-nonstandard (code 64)"},"id":"1"}

What I have been trying to do is:

  • In address generation, I generated a P2SWH output script by putting an OP_0 + Sha256 / Ripe160 from the multisig <2 pubkey1 pubkey2 pubkey3 3 OP_CHECKMULTISIG>. It seems to be working because the address that appears seems correct and can be sent to. (Maybe still wrong, but I guess not).

  • When it comes to spending this out, I put that OP_0 < sha256ripe160 > in the scriptSig

  • The signatures sign slightly differently from P2SH, they are modified so that the amounts of the parts are signed.

  • For the witness part, I put the data parts of what would have been the old P2SH sig in the witness. Basically a 4 to say how many control parties to wait, then a 0 for the cooked multisig bug, then the two signatures, then the <2 pubkey1 pubkey2 pubkey3 3 OP_CHECKMULTISIG> like a big chunk of data. I think it looks like the one in this example: https://github.com/libbitcoin/libbitcoin-system/wiki/P2SH(P2WSH)-Transactions. And I can at least see in the exit that there is a 040047 then the first sig.

What have I missed here? How is the witness malformed? Are there other changes needed to transform a functional P2SH into P2SH-P2WSH?

Form authentication – Define the lifetime of the cookie

I have SharePoint 2016 on site. My portal has forms-based authentication. Anyone can create an account and log in to access the portal with read permission. By default, users will be logged out after 25 minutes. I have used the following scripts and updated the cookie lifespan.
But I want administrators to access the portal until he clicks the logout button. How can implement or increase the lifetime of cookies for a particular set of users who have full control authorization.

$ sts = Get-SPSecurityTokenServiceConfig
$ sts.CookieLifetime = New-TimeSpan -Minutes 25
$ sts.Update ()