theagent Posted October 11, 2008 Share Posted October 11, 2008 Hello, I'm making a website that involves a user login system. Right now, when a user logs in, I'm storing just the username in a cookie. I know this is a very vulnerable security flaw, since I'm pretty sure this can be easily spoofed. What is the best way to secure this? Thanks in advance PS: I'm really new to website security. If you know any basic guides I should follow, please let me know! Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/ Share on other sites More sharing options...
Coreye Posted October 11, 2008 Share Posted October 11, 2008 Hello, I'm making a website that involves a user login system. Right now, when a user logs in, I'm storing just the username in a cookie. I know this is a very vulnerable security flaw, since I'm pretty sure this can be easily spoofed. What is the best way to secure this? Thanks in advance PS: I'm really new to website security. If you know any basic guides I should follow, please let me know! Have you read http://www.phpfreaks.com/tutorial/php-security/ yet? Page 7, http://www.phpfreaks.com/tutorial/php-security/page7, has information about sessions and cookie stealing. Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/#findComment-663053 Share on other sites More sharing options...
theagent Posted October 11, 2008 Author Share Posted October 11, 2008 After reading that, I'm still a bit confused. Right now I'm not even using sessions. When a user logs in, I'm solely storing the username in a cookie. I check if that cookie exists (if isset($_COOKIE['username'])) to see if the user is logged in, I log the user out by destroying the cookie, and I use it as a reference to modify the user's data in the mySQL database. So what should I be doing differently? Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/#findComment-663057 Share on other sites More sharing options...
Andy17 Posted October 11, 2008 Share Posted October 11, 2008 I'm pretty new to this myself, but I'd say have two cookies; one with the username and one with the password (use sha1() on both). Then check the username+password like you normally would, just use sha1() on the password you have stored in your MySQL database too. Don't actually change it. If you access the password like this: $row['password'], then do this: $password = sha1($row['password']); Something like that. After reading that, I'm still a bit confused. Right now I'm not even using sessions. When a user logs in, I'm solely storing the username in a cookie. I check if that cookie exists (if isset($_COOKIE['username'])) to see if the user is logged in, I log the user out by destroying the cookie, and I use it as a reference to modify the user's data in the mySQL database. So what should I be doing differently? You should check if the entered username/password is correct and if so, set a session. For instance, your session could be: <?php session_start(); // The user is logged in $_SESSION['logstatus'] = 1; // The user is NOT logged in anymore (you can set it to 0 when a user clicks the log out button) $_SESSION['logstatus'] = 0; ?> If I were you, I would Google for a login script. Just post here if you need help with it. Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/#findComment-663058 Share on other sites More sharing options...
theagent Posted October 11, 2008 Author Share Posted October 11, 2008 OK, I understand the purpose of checking the username/password combination by having two separate cookies. However, I don't understand the purpose of using sha1(). I don't understand the purpose of using sessions. Also, I don't understand why MD5 is used on passwords, since it can be cracked, and I don't understand how its used. Many thanks to whoever clears up this confusion. Also, you said to look for an online login system. While that is good, I'd rather build one myself since I'd like to learn how it works and ensure that its built to my expectations. Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/#findComment-663060 Share on other sites More sharing options...
Stooney Posted October 12, 2008 Share Posted October 12, 2008 Sessions are like cookies, but the big difference is that sessions are stored server side, while cookies are stored client side. So a user can access his cookies but he can't access anything stored in a session variable. So for a login, it would look something like this (while being secure): <?php if(isset($_SESSION['user_id']) && !empty($_SESSION['user_id'])){ echo 'You are logged in under user_id'.$_SESSION['user_id']; } else{ echo 'You are logged out'; } And for the login script, it's just (this is after the form submission) <?php if(isset($_POST['username'])){ $result=mysql_query("QUERY HERE"); if(mysql_num_rows($result)==1){ $_SESSION['user_id']=$user['user_id']; } } header("Location: index.php"); ?> To log them out you just destroy the session: unset($_SESSION['user_id']); //there's other ways, this is just an example Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/#findComment-663088 Share on other sites More sharing options...
theagent Posted October 12, 2008 Author Share Posted October 12, 2008 So in other words, use sessions because they can't be spoofed like cookies. Right? Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/#findComment-663143 Share on other sites More sharing options...
Andy17 Posted October 12, 2008 Share Posted October 12, 2008 So in other words, use sessions because they can't be spoofed like cookies. Right? Sessions are automatically deleted when you close your browser (and after a certain period of time, I think), while cookies are stored until the expiration date you specified or until you destroy it. A session can also be accessed from all of your pages (same for a cookie), but it is much better to use a session to check if a user is logged in. You could do something like this: <?php session_start(); if (!isset($_SESSION['logstatus'])) // If the session "logstatus" has not been set yet, the user is obviously not logged in { // Your login check here (if the information is correct, set $_SESSION['logstatus'] to 1 } ?> Imagine that you use cookies to check this; you would then have to run the login check on every page to check if the user is logged in. When using sessions, you just do this check once and set a session to 1 if the user is logged in. Then you can just check on every page if the user is logged in or not (if the session is set to 1 or not), which is better than running a lot of queries on every page. It's safer and increases the efficiency of your code. It's great that you want to build your script by yourself. It is always important to understand your code, so by suggesting you to find a script, I also meant for you to study and understand it. I'd suggest reading a MySQL tutorial (if you want more than just a few users). You can find some simple and easy to understand tutorials at www.tizag.com to get you started. Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/#findComment-663246 Share on other sites More sharing options...
micmania1 Posted October 12, 2008 Share Posted October 12, 2008 Sessions are much more secure than cookies. A session creates a cooke with a session id storing all of its values. With your current system, im pretty sure it can be hacked like so: Enter this into the URL bar if you would like to check: Javascript: document.cookie = 'username=stolen_username'; Because the values of a session are encrypted they are not vulnerable to that attack. Session Tutorial Link to comment https://forums.phpfreaks.com/topic/128047-cookie-security-for-user-logins/#findComment-663252 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.