cheechm Posted September 17, 2008 Share Posted September 17, 2008 Is it safe to store a password in a cookie in this format: md5(md5(password and salt)) Password being user inputted and salt being a random 3 character string from the database. Thanks If not are there other ways I should do this (to keep the session alive after browser close) Link to comment https://forums.phpfreaks.com/topic/124725-cookies/ Share on other sites More sharing options...
elgoog Posted September 17, 2008 Share Posted September 17, 2008 You could try using sha1 for a bit more security. sha1( sha1(pass-hash) . sha1(salt) ) Link to comment https://forums.phpfreaks.com/topic/124725-cookies/#findComment-644267 Share on other sites More sharing options...
Garethp Posted September 18, 2008 Share Posted September 18, 2008 Try to avoid cookies. If you want real security, use Sessions. They are easier and are stored on the server, so users can't view or edit them. They are stored like normal variables, and are called like normal variables, you just need session_start() at the top of each page you use sessions in. Here is an example Page 1: <?php session_start(); $_SESSION['Test'] = "Hello World"; ?> Page 2: <?php session_start(); echo $_SESSION['Test']; ?> Link to comment https://forums.phpfreaks.com/topic/124725-cookies/#findComment-644723 Share on other sites More sharing options...
cheechm Posted September 18, 2008 Author Share Posted September 18, 2008 However that doesn't allow me to keep a session for ever? (IE after browser close) Thanks Link to comment https://forums.phpfreaks.com/topic/124725-cookies/#findComment-644932 Share on other sites More sharing options...
PFMaBiSmAd Posted September 18, 2008 Share Posted September 18, 2008 The value you store in a cookie for authentication purposes should not be a static fixed value, as would be the case if you stored anything derived from a username or password. It should be a generic unique id that can be regenerated to help prevent it from being used by someone else to impersonate the actual visitor if someone gets a copy of it. A session id is propagated between pages either as a cookie or on the end of the URL, so it suffers from the same problem if someone else gets a copy of the session id (they can impersonate the actual visitor), which is why the session_regenerate_id() function exists so that you can regularly regenerate the id. Link to comment https://forums.phpfreaks.com/topic/124725-cookies/#findComment-644963 Share on other sites More sharing options...
cheechm Posted September 18, 2008 Author Share Posted September 18, 2008 So you are saying that it is fine to store the password in the cookie like that? As it is just as likely for someone to get in via session hijacking? Thanks Link to comment https://forums.phpfreaks.com/topic/124725-cookies/#findComment-644968 Share on other sites More sharing options...
The Little Guy Posted September 18, 2008 Share Posted September 18, 2008 In the cookie store something like this: set Cookie: $userid = 435; $userCode = 's45jds2fo8gj'; // NOT the users password set_cookie('myCookie',$userid.'|'.$userCode,time()+60*60*24*60000); // Cookie for about 30 years check for cookie: if(isset($_COOKIE['myCookie'])){ list($id,$code) = explode('|',$_COOKIE['myCookie']); // search for user in database // log the user in }else{ // tell the user they need to log in } NOT THE BEST WAY, NEEDS SOME WORK! Link to comment https://forums.phpfreaks.com/topic/124725-cookies/#findComment-645032 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.