android6011 Posted April 11, 2008 Share Posted April 11, 2008 I have a header that checks the value of 2 cookies, username and password, against the values in an sql table. the password is md5 in both the table and the cookie, but I just dont know if this is good enough. I dont want anyone to be able to steal the cookie information, and then set the cookies on another computer and have access to the account. How can I prevent this? Should I just not set the md5 password in a cookie? Link to comment https://forums.phpfreaks.com/topic/100718-questions-about-security-involving-cookies/ Share on other sites More sharing options...
discomatt Posted April 11, 2008 Share Posted April 11, 2008 If you want a user's login information stored in a cookie, then there's no way to prevent a malicious user from stealing the cookie file and using it. Storing it in pure-md5 is silly though, as md5 can be brute-forced extremely quickly. You should always salt hashes as well... Ther ewas a topic on here not too long ago about salting and hashing... check back a couple pages Link to comment https://forums.phpfreaks.com/topic/100718-questions-about-security-involving-cookies/#findComment-515123 Share on other sites More sharing options...
android6011 Posted April 12, 2008 Author Share Posted April 12, 2008 what if i did this, stored a salted hash in the table, then in the cookie do md5($storedsaltedhash.$sessionid) , then when i check to make sure the cookie is ok i do the same thing in my header file so id check if($_COOKIE['authenticate'] == md5($storedsaltedhash.$sessionid)) this way even if the cookie was stolen they wouldnt pass a check, i wouldnt store the sessionid in a cookie either, or will i have to? Ive never dealt with sessions so im not sure how all the works precisely would this be ok? Link to comment https://forums.phpfreaks.com/topic/100718-questions-about-security-involving-cookies/#findComment-515652 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.