Jump to content

Cookie Without Security Flaws

Guest edwinsweep

By Guest edwinsweep
in PHP Coding Help

 Share

Recommended Posts

Guest edwinsweep

Guest edwinsweep

Posted
Posted
hi everybody.
im currently making a website where you can login.
just that when you close the window without loggin out, your session is lost.
you will have to do a new login.
as up to now the only way to fix this is a cookie right?
how can i do this.
storring somebody's loginname and password wouldnt be smart now would it?
even if you md5 encrypt it, this could be a security flaw. (i heard md5 could be decrypted it that treu?)
so how else would i do this.
just storring a random string in the cookie and also in the DB and comparing them wouldnt be the answer aswell.
cause if i could steal your cookie, i would be able to loggin.

Does anybody have any idea how this would be done.

a push in the right direction would be enough.
complete script even better.

Link to comment
https://forums.phpfreaks.com/topic/13193-cookie-without-security-flaws/
Share on other sites
SharkBait Advanced Member

SharkBait

Posted
Posted
MD5 is a hash so it can't be decrypted. You can make a complex hash if your wanting a bit more security to it.

[code]
$salt ="SomeRandomPhraseThatCanBeUsed";

$mypass = md5(md5("mypassword").md5($salt));
[/code]

Think that is how I do mine anyway.

As for keeping someone 'logged in' I believe the best way is to do it by cookie. Keep the username, and somesorta randomly generated thing to have it check against the database I guess would be a way of doing it.

Have it generate a 'cookiecode' everytime they log into the website after they have put their username/password in and have checked the 'remember' me option. *shrug*

Just a couple thoughts I guess
deadonarrival Member

deadonarrival

Posted
Posted
You don't necessarily need to store their password in the cookie, just store something that tells you they're logged in, and set your login page to skip the authentication straight to the first page they would see when logging in.

something along the lines of

if($_COOKIE['remember'] == "1")
{
header("Location:forumpage.php");
}

All you need to set is the one variable in the cookie, remember, and set it to 1.

[b]Edit[/b]: another thought which just occured to me... it would only work for people with a fixed IP so that might be a concern, but anyways:

in your mysql database you could store their username and any IP's they want to be remembered on. This can work in the same way as above, but the data is stored on your database. You could maybe store a list of all IP's they log in and use it to warn them if they appear to have a dynamic IP (i.e they log in from many IPs)

EG
Username IP Remember
User1 000.000.000.001 Yes
User2 000.000.000.005 No
User2 010.000.000.000 No
User1 555.555.555.555 No

So it only remembers they want to stay logged in on one IP, assumedly their home one

Sorry if it doesn't make sense, I'm not sure I explained that very well.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.