saajan / cookiecheck Goto Github PK

I simple copy-paste the code to my php file

include_once(cookiecheck.php);
if (cc_cookie_cutter() == FALSE) {
    // Cookies are disabled
    echo 'Sorry, you do not have cookies enabled. Please enable them and reload this page';
    exit();
}

cc_cookie_cutter return FALSE.

My host is Windows 7 XAMPP v3.1.0

CookieCheck is configured by default to use the directory '~/tmp' for
storing session information. This is meant to expand to
'/home/username/tmp' but instead a directory with the name '~' is being
created in the place where the script is being run with a subdirectory
called tmp.

This is a serious security issue as the script is likely being run from a
publicly visible directory, meaning that the session files are publicly
visible (including any post/get data stored there - possibly login
information). This session information should be deleted fairly quickly if
the script runs to completion, but if the user aborts the script, it may
not get deleted until someone else runs the script, leaving the session
data and associated information publicly accessible.

The default directory setting will need to be changed to a safer value
(potentially /dev/null) forcing the website owner to explicitly specify
where to store session information.

In the meantime:

ALL USERS OF COOKIECHECK-1.0 SCRIPT SHOULD CHANGE THE DEFAULT SESSION SAVE
PATH TO BE SOMEWHERE OUTSIDE OF THE WEB ROOT OR OTHERWISE PROTECTED FROM
EXTERNAL ACCESS.

After the script has run, there is the potential that the address displayed
in the browsers address bar will look something like:

'http://www.site.com/test.php?cc_code=cc-sessid-12345' rather than 
'http://www.site.com/test.php' or 
'http://www.site.com/test.php?yourvar1=yourval1&yourvar2=yourval2'

This does not cause a functional impact on the script per-se as the global
variables (including $_SERVER['QUERY_STRING'] and all the $_GET variables)
are all correct. It does however look ugly. It also causes problems if the
address is bookmarked and/or reloaded as it will cause the script to
malfunction.

This can be resolved for the case where cookies are enabled by on the last
iteration storing the session id in the cookie and reloading using the
proper URL or by adding the session id to the end of the proper URL. For
cases where cookies are not enabled I think the session id would have to be
appended to the proper URL.

The solution mentioned above partially solves this problem but I think
there are still some potential issues that will need to be fleshed out.

Hi,
Well, I believe the subjects tells everything.

In the body of the cc_cookie_cutter() function, it does not check the
return values of it's helper functions to see whether an error has occurred.

It is unlikely that these functions will return an error, and it is not
clear how best an error should be handled (should the script just abort?)
so this is why it is still TBD.