mcrypt encrypt/decrypt problems

[draigGoch]

H, hope someone can help me, I'm new to this encryption thing, and I found two handy functions off php.net - 1 to encrypt a cookie, and another to decrypt a cookie.
I encrypt the username on one page using this:

encryptCookie($username);

function encryptCookie($value){
if(!$value){return false;}
$key = 'The Line Secret Key';
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
return trim(base64_encode($crypttext)); //encode for cookie
}

and then i decrypt it on another page like so:

function decryptCookie($value){
if(!$value){return false;}
$key = 'The Line Secret Key';
$crypttext = base64_decode($value); //decode cookie
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $crypttext, MCRYPT_MODE_ECB, $iv);
return trim($decrypttext);
}

echo decryptCookie($_COOKIE["myUsrDtls"]);


but the encrypted and decrypted values are not the same!!! Help me please!





A computer always does what you tell it to, but rarely does what you want it to.....

 

[sleipnir214]

I don't do that much cryptography in PHP so I don't think I can be of much help, there.

But could I ask why you don't just store this value in a session variable? All that is stored on the client is a session ID -- PHP uses that ID as an index to select and unserialize a session store, so the data never leaves the server.


Want the best answers? Ask the best questions! TANSTAAFL!

 

[draigGoch]

Thanks for your reply. I thought about using sessions, but the guy who I was doing this for was adamant that he wanted to use cookies - not sessions (don't ask!).

I found another function that encrypts/decrypts cookie successfully.

A computer always does what you tell it to, but rarely does what you want it to.....

 

[jpadie]

sessions typically do use cookies.

sleipnir214 was meaning why don't you store the sensitive data in server-side session files/db and just use cookies to store the session identifier. This is the normal way to do things. sleipnir has also posted a mysql alternative session handler in the FAQ page for this forum - this can be easily adapted to provide session persistence or a defined absolute time out mechanism whereas cookie data is susceptible to client-side manipulation.

 

[draigGoch]

The only sensitive data that will be stored and encrypted in a cookie is the username.

The cookie is then decrypted and we use the username to get details from the database.

Does this seem secure?

A computer always does what you tell it to, but rarely does what you want it to.....

 

[jpadie]

why do you need to store the username client-side?

 

[sleipnir214]

I don't think it is any more or less secure than using a cookie-based session variable. In either case, the user has the opportunity to mess with the data. It's just that the code is simpler for session variables.


Want the best answers? Ask the best questions! TANSTAAFL!

 

[draigGoch]

No idea why I'm storing the username client-side.

Cookies or session cookies was the only way that we came up with for storing data that the user has logged in.

The user can mess with the encrypted data - but can't do much with it unless they decrypt it, so if the user does mess with the data, the system will attempt to decrypt the cookie, realise that there is no such username in our db, then redirects to the login page.

A computer always does what you tell it to, but rarely does what you want it to.....

 

[jpadie]

php sessions, by default, store a sessionID in the cookie.

you store a logged in flag in the session data on the server and test it each page.

session_start();

if ($_SESSION['loggedIn'] === TRUE) {
 //ok to proceed
} else { 
  //display a login form
}

//log in form process pcode
session_start();
//if password and username are correct
$_SESSION['loggedIn"] = TRUE;
else
//redirect to login form

//NB it is good practice not to store the users password in clear text but only to store it in a one way hash/encryption like md5 or sha1

//logout process
session_start();
if (session_name() !=="") {
  $_SESSION=array();
  session_destroy;
  set_cookie(session_name(), '', time()-3600, '/');
}