Easy PHP Cookies

I was working on a security subsystem for a website the other day, and I needed to encode a bunch of variables into a cookie. I’ve written this kind of code way too many times before, and it’s pretty straightforward. It is very tedious, however, and can get complicated if you have to worry about escaping characters, encoding arrays, etc.

With this in mind, I decided to sniff around in the PHP documentation and see if there was something there that I could use to make this easier. I started looking at serialization, followed a few references, and pretty soon I came up with a very simple solution:


// Encode the values and set a cookie
function encode_cookie ($foo, $bar, $snork)
{
    $cookie = serialize(compact("foo", "bar", "snork"));
    setcookie("name", $cookie, 0, "/", "ericwinkelman.com");
}

// Get the cookie, and decode the values
function decode_cookie (&$foo, &$bar, &$snork)
{
    extract(unserialize($_COOKIE["name"]));
}

The key to this code is the compact and extract functions. These functions work directly with the program’s symbol table, and not the variables themselves. The compact function takes the names of the variables to store in the cookie, and looks up the values in the symbol table. Similarly, the extract function gets the variable names and values from the cookie, and updates the symbol table with this information.

Through these functions, you don’t have to worry about formating, parsing, escaping, variable orders, etc. It even works with arrays. You must, however, make sure that the names of the function parameters are the same between the encode_cookie and decode_cookie functions.

For extra credit, I suggest encrypting the cookie value so that site visitors can’t mess around with them. Michael Gracie recently posted encryption and decryption functions that can be used for this.

Bake at 450 for 10 minutes and cool slightly before serving…

NSA Wiretapping – Followup

Wired had a couple of interesting articles about the NSA wiretapping program. While I recommend both of them, there were a couple of points that call into question the value of the NSA’s wiretapping and data mining activities.

In NSA Whistleblower: Wiretaps Were Combined with Credit Card Records of U.S. Citizens they discuss some of the claims made by Russell Tice, the NSA whistle blower:

“This is garnered from algorithms that have been put together to try to just dream-up scenarios that might be information that is associated with how a terrorist could operate,” Tice said. “And once that information gets to the NSA, and they start to put it through the filters there . . . and they start looking for word-recognition, if someone just talked about the daily news and mentioned something about the Middle East they could easily be brought to the forefront of having that little flag put by their name that says ‘potential terrorist’.”

Now, compare this to what is discussed in CIA Spy Enlisted Son to Collect Espionage Debts, Feds Say, where they quote the following coded message sent to Russian agents:

SUBJECT LINE: Hola Nancy!
Hello Sweety! How are you? I’m good. Sorry for taking so long to write to you…you know how work is and all. Any7ways, things are good. It looks like I will still be able to go on that vacation! I will keep you updated on that though. I am very much looking forward to it, and to seeing you again! Well hon, I just thought I’d say “hi” since I had the time!

As I mentioned previously, it is difficult to see how widespread data mining is going to be a useful tool in the fight against terrorists.

How do you build algorithms that distinguish innocent conversations (from people with nothing to hide) from the carefully coded messages sent by terrorists?