Never trust the client
Companies website was defaced over the weekend, their login system was all custom made so we looked into how it worked.. some pseudocode:
$userId = login($username, $password);
if($userId != 0) // login success
cookie_set('userId', $userId);
// later on in other pages
if(!cookie_isSet('userId'))
die('You must be logged in');
$userId = cookie('userId');
I guess the developers never knew about PHP sessions and thought they could trust the users cookies, it was pretty clear at this point how they were defaced so easily.
Biting the hand that feeds IT
