RT Cunningham

A Secure Cookie Can Secure the Website Admin Section

secure cookie I’ve been using a secure cookie to secure the admin section for this website for months. In fact, it’s probably been a few years now. I can’t remember when I started doing it this way.

This works with WordPress, obviously, because I’m using it with WordPress now. It will work with any admin section normally protected by a login page. In my examples, though, only with a PHP-driven website.

What, exactly, is a Secure Cookie?

Most website owners are aware of cookies, even if they never mess with them. Cookies are nothing more than tiny text files formatted in special ways. A web browser can set a cookie with one page and then read it with another. Most websites set one kind of cookie or another and usually more than one.

A secure cookie is a regular cookie that’s sent over the HTTPS protocol. It’s been a long time since I did any packet sniffing tests but if memory serves me correctly, it’s almost 100 percent secure. There’s no such thing as 100 percent but this comes pretty close. HTTPS encapsulates the cookie and the original name of the cookie, along with its data, is scrambled.

A secure cookie is only differentiated from a secure session cookie in that it’s always persistent.

Creating a Secure Cookie

It’s not hard to do it manually, just a pain to do so. I created mine with Chrome and Firefox extensions for a long time. Until I got tired of doing it that way and wrote a PHP script to make things easier and quicker. It’s not hard to do it with JavaScript either, which is exactly what I used to stop automated comment spam with a secure cookie before switching to Disqus for comments.

The script looks like this:

<?php
if (isset($_POST['submit'])) {
$domain = '.' . str_replace('www.', '', $_SERVER['HTTP_HOST']);
setcookie(trim($_POST['cookie_name']), trim($_POST['cookie_value']), strtotime('+10 years'), '/', $domain, '1', '1');
header('location: https://' . $_SERVER['HTTP_HOST'] . '/');
exit;
}
?>
<html>
<head>
<title>Cookie Form</title>
<meta name="viewport" content="width=device-width, minimum-scale=1, initial-scale=1">
<style>body{font-family:sans-serif;font-size:1.2em}</style>
</head>
<body>
<h2>Cookie Form</h2>
<p>This form will create a cookie in your web browser, sent over HTTPS only and for this domain only, which will expire in 10 years.</p>
<form id="contact" method="post" action="<?php echo $_SERVER['HTTP_HOST'] ?>/cookie-form.php">
<label for="cookie_name">Cookie Name:</label>
<input type="text" name="cookie_name" id="cookie_name" required="required">
<br><br>
<label for="cookie_value">Cookie Value:</label>
<input type="text" name="cookie_value" id="cookie_value" required="required">
<br><br>
<input type="submit" name="submit" value="Submit" class="submit-button">
</form>
</body>
</html>

It isn’t perfect but it works.

Nginx and the Secure Cookie

You can do this with Apache and other web servers but I can’t tell you how to do it. I’ve using nothing but Nginx for years, even on Windows. With Nginx, you can add something like this to the server block (or as an include):

if ($request_uri ~* .php) { 
set $kill_uri 1;
}
if ($request_uri = /assets/cookie-form.php) {
set $kill_uri 0;
}
if ($cookie_COOKIENAME = COOKIEVALUE) {
set $kill_uri 0;
}
if ($kill_uri) {
return 404;
}

This is perfect for WordPress because it’s a PHP-driven CMS. You can add more conditions, like I do with my contact form. This is only a working example.

The Driving Force Behind All of This

It all started when I got tired of policing the comments section on my previous blog. It was compounded by tons of brute force attacks on my login page. I found I could block all the bad bots attacking any page in my admin section, including the login page, by using a secure cookie.

Since I’m the only one who uses this website, logging in is superfluous now but still required by the CMS itself. I wrote this script because I can’t use extensions with Chrome on Android. It’s easier and faster anyway. I don’t have the cookie form page blocked and I can create a secure cookie on any device. It doesn’t bother me that anyone can access that specific page. No one has any idea what I use for a cookie name or value.

Share:    

RT Cunningham
March 7, 2019
Web Development