Cookie Without Security Flaws
Posted 29 June 2006 - 11:08 AM
im currently making a website where you can login.
just that when you close the window without loggin out, your session is lost.
you will have to do a new login.
as up to now the only way to fix this is a cookie right?
how can i do this.
storring somebody's loginname and password wouldnt be smart now would it?
even if you md5 encrypt it, this could be a security flaw. (i heard md5 could be decrypted it that treu?)
so how else would i do this.
just storring a random string in the cookie and also in the DB and comparing them wouldnt be the answer aswell.
cause if i could steal your cookie, i would be able to loggin.
Does anybody have any idea how this would be done.
a push in the right direction would be enough.
complete script even better.
Posted 29 June 2006 - 01:32 PM
$salt ="SomeRandomPhraseThatCanBeUsed"; $mypass = md5(md5("mypassword").md5($salt));
Think that is how I do mine anyway.
As for keeping someone 'logged in' I believe the best way is to do it by cookie. Keep the username, and somesorta randomly generated thing to have it check against the database I guess would be a way of doing it.
Have it generate a 'cookiecode' everytime they log into the website after they have put their username/password in and have checked the 'remember' me option. *shrug*
Just a couple thoughts I guess
This post was brought to you by DynamicShark Media
[For Hire] - Small PHP Projects - Script Fixing, Development, WordPress
Read My Blog: www TylerIngram dot Com
Follow Me On Twitter
Posted 29 June 2006 - 02:05 PM
something along the lines of
if($_COOKIE['remember'] == "1")
All you need to set is the one variable in the cookie, remember, and set it to 1.
Edit: another thought which just occured to me... it would only work for people with a fixed IP so that might be a concern, but anyways:
in your mysql database you could store their username and any IP's they want to be remembered on. This can work in the same way as above, but the data is stored on your database. You could maybe store a list of all IP's they log in and use it to warn them if they appear to have a dynamic IP (i.e they log in from many IPs)
Username IP Remember
User1 000.000.000.001 Yes
User2 000.000.000.005 No
User2 010.000.000.000 No
User1 555.555.555.555 No
So it only remembers they want to stay logged in on one IP, assumedly their home one
Sorry if it doesn't make sense, I'm not sure I explained that very well.
$this->time_warp("Jump to the left","Step to the right","Bend knees in time");
} WHILE (2>1)
Warning: The above post may not make a lot of sense, and the sentence structure will suck. I tend to ramble a lot. Sorry ;-)
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users