Jump to content

Archived

This topic is now archived and is closed to further replies.

Guest edwinsweep

Cookie Without Security Flaws

Recommended Posts

Guest edwinsweep
hi everybody.
im currently making a website where you can login.
just that when you close the window without loggin out, your session is lost.
you will have to do a new login.
as up to now the only way to fix this is a cookie right?
how can i do this.
storring somebody's loginname and password wouldnt be smart now would it?
even if you md5 encrypt it, this could be a security flaw. (i heard md5 could be decrypted it that treu?)
so how else would i do this.
just storring a random string in the cookie and also in the DB and comparing them wouldnt be the answer aswell.
cause if i could steal your cookie, i would be able to loggin.

Does anybody have any idea how this would be done.

a push in the right direction would be enough.
complete script even better.

Share this post


Link to post
Share on other sites
MD5 is a hash so it can't be decrypted. You can make a complex hash if your wanting a bit more security to it.

[code]
$salt ="SomeRandomPhraseThatCanBeUsed";

$mypass = md5(md5("mypassword").md5($salt));
[/code]

Think that is how I do mine anyway.

As for keeping someone 'logged in' I believe the best way is to do it by cookie. Keep the username, and somesorta randomly generated thing to have it check against the database I guess would be a way of doing it.

Have it generate a 'cookiecode' everytime they log into the website after they have put their username/password in and have checked the 'remember' me option. *shrug*

Just a couple thoughts I guess

Share this post


Link to post
Share on other sites
You don't necessarily need to store their password in the cookie, just store something that tells you they're logged in, and set your login page to skip the authentication straight to the first page they would see when logging in.

something along the lines of

if($_COOKIE['remember'] == "1")
{
header("Location:forumpage.php");
}

All you need to set is the one variable in the cookie, remember, and set it to 1.

[b]Edit[/b]: another thought which just occured to me... it would only work for people with a fixed IP so that might be a concern, but anyways:

in your mysql database you could store their username and any IP's they want to be remembered on. This can work in the same way as above, but the data is stored on your database. You could maybe store a list of all IP's they log in and use it to warn them if they appear to have a dynamic IP (i.e they log in from many IPs)

EG
Username IP Remember
User1 000.000.000.001 Yes
User2 000.000.000.005 No
User2 010.000.000.000 No
User1 555.555.555.555 No

So it only remembers they want to stay logged in on one IP, assumedly their home one

Sorry if it doesn't make sense, I'm not sure I explained that very well.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.