Jump to content

Interesting Authentication Concept

EKINdesigns

By EKINdesigns
in PHP Coding Help

 Share

Recommended Posts

EKINdesigns Member

EKINdesigns

Posted
Posted

Please let me know what you think about this concept idea.  I think it would be more secure than the normal.

 

Store the username in a cookie and the password in a session.

 

Reason this would be more secure:

 

1.) If someone gets a hold of the session ID they are missing the username (so we assume its a hack and delete the session data).

2.) If someone, somehow, hacks the session data they are, again, missing the username.

3.) Someone gets a hold of a cookie (harder since it is located on clients machine) they are missing the password.

4.) If the users session ends but the username is still in the cookie ask to verify password to re-login.

 

Please let me know if this concept is a good idea.  I haven't seen this implemented anywhere else.

 

 

Thanks,

Jeff

Link to comment
Share on other sites
JonnoTheDev Regular Member

JonnoTheDev

Posted
Posted

It doesnt matter whether the cookie is on the users machine. The data in the cookie is still requested by the server and can easily be read by a packet sniffer as can session data. The concept of hijacking applies to both sessions and cookies. You will obviously need a reference in each storage method to marry the 2 bits of data i.e. This username marries up with this password. Anyone who really wants to get at the data will.

 

I think you are creating more work for yourself with no real benefit. In fact im not sure why you would even store the username and password in a cookie or session at all, this is madness. Once authenticated to a website you may store the users database ID or even a unique key that identifies them to the site in a session or cookie. A secure method would be to make the users key expire after a period of time and on next login create a new key.

 

If you believe that you are going to suffer from hijacking because you have sensitive data to protect then get an SSL certificate.

Link to comment
Share on other sites
Brian W Regular Member

Brian W

Posted
Posted

From what I read, sniffers aren't easy to use... they kinda have to sit there and wait for someone to sign in or something (don't quote me on that). If you have data that is so sensitive as to worry about intruders, you probably will be willing to spend the extra $$$ or so on SLL. If you just got a message board or something with some email addresses, names, maybe even a b-day here and there, don't worry.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.