PHP Classes

cookie_oauth_client_class uses unserialize() cookie value

Recommend this page to a friend!

      PHP OAuth Library  >  All threads  >  cookie_oauth_client_class uses...  >  (Un) Subscribe thread alerts  
Subject:cookie_oauth_client_class uses...
Summary:one shouldnt unserialize() a string originating by the client
Author:Markus S.
Date:2019-07-10 08:15:06


  1. cookie_oauth_client_class uses...   Reply   Report abuse  
Markus S. - 2019-07-10 08:15:06
cookie_oauth_client_class ::Unserialize() works on a untrusted string supplied by the browser. its a decrypted string with 3DES but still its a user supplied string.

3DES is a encryption which was broken in 2016.

calling unserialize() on user supplied string is a well known security vulnerability. it can be misused to do 'Object Injection'.
thats one of the top 10 vulnerabilities within the OWASP report from 2017, see A8 on

in case we could use e.g. json_encode() or similar this vulnerability would go away

see also

  2. Re: cookie_oauth_client_class uses...   Reply   Report abuse  
Manuel Lemos - 2019-07-10 19:46:36 - In reply to message 1 from Markus S.
Hello Markus,

Thanks for the notice. This is just a solution for those that do not want to use a database from some reason. I do not use this myself.

Anyway, besides using json_encode() instead of serialize(), what do you suggest as an alternative for encryption to make it more secure?

  3. Re: cookie_oauth_client_class uses...   Reply   Report abuse  
Markus S. - 2019-07-15 18:24:28 - In reply to message 2 from Manuel Lemos
E.g. Could work

I dont think there is a „secure“ builtin one-liner