PHP Storing object in cookie doesn't work

Question

I'm developing a website where users can register and access their accounts, and when the user is connected, I save the User object in a cookie using serialization and base64 encoding. It was working perfectly, suddently the PHP script doesn't want to create the cookie. My PHP script is :

/**
 * Function that creates a cookie from an User object
 * @param User $user User object to be stored in the cookie
 * @param int $timeout Lifetime of the cookie (0 if should be destroyed when the navigator is closed)
 */
function setUserCookie($user, $timeout = COOKIE_MAXLIFETIME) {
    setcookie('user', base64_encode(serialize($user)), $timeout, '/');
}

I don't know where the problem is coming from, I hope someone will help me :)

EDIT : This is a project for the university, I'm aware my website can be vulnerable while storing an object in the cookie, but we have to focus on functionalities rather than on the security of the website.

Answer 1

Do not store a serialized string in something the outside world can see and manipulate! It is a security hole! Why?

The serialized string contains the name of the class that was used to build the object. This can be altered. Unserializing an arbitrary string means that an arbitrary object gets created. If this objects code is available, it will get executed. This basically is a remote code execution vulnerability, because the outside attacker can to some extent choose which code he wants to get executed.

If you really want to store data in a cookie, use a serialization format that only contains data, and no reference to any PHP objects. json_encode() might be the right thing. The better way would be to use a session and store anything related to the current login server-side.

Answer 2

我终于使用$_SESSION使其工作，即使用户无法保持登录状态。