Jump to content

Storing sha1 encrypted passwords in cookies?

sorenchr

By sorenchr
in PHP Coding Help

 Share

Recommended Posts

Mark Baker Member

Mark Baker

Posted
Posted
  Quote
For a 'Remember Me' function for my website, would it be safe to store the username and sha1 encrypted password of a user in a cookie?
Not particularly, because if I can access that cookie, I can recreate it (sha1 encrypted password and all) on my own PC, which would give me access to that users account without ever needing to know their password.

 

Limit "remember me" to username, and still force them to re-enter their password.

revraz Member

revraz

Posted
Posted

And how would you access someone else's cookie?

 

And let's just say you can access their cookie, would it matter if the PW was stored or not since any Cookie check is what validates them regardless of if the PW is stored.

 

Making them re-enter their PW each time is going too far imo.  I don't know of any site that makes me re-enter my PW each time unless it's my Bank.

 

But on the other hand, why would you need to store the PW in the cookie?

sorenchr Member

sorenchr

Posted
  • Author
Posted
  Quote

But on the other hand, why would you need to store the PW in the cookie?

 

I just figured this was the only way to log the user in automaticly. If no password is stored, then wouldn't the user be required to enter the password again?

Mark Baker Member

Mark Baker

Posted
Posted
  Quote
And how would you access someone else's cookie?
Quite easily in the case of anybody in the office where I work, or the missus, where I have access to their physical PC.

 

Using a packet sniffer otherwise.

 

  Quote
And let's just say you can access their cookie, would it matter if the PW was stored or not since any Cookie check is what validates them regardless of if the PW is stored.

If the password is stored in the cookie, it automatically gets sent to the server with every request. If it's typed in by hand on the login screen, it's sent once in the POST request on login.

Odds of my packet sniffer getting a password hash on a login.... I need to do a lot of trawling through the sniffer logs. Odds of my getting it if it's sent via the cookie.... every time.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Cookie's can be gotten easily if someone is using an unencrypted wireless network at home, work, fast food joints, camping grounds, motels, libraries or in the many other places they are offered.

 

The value in a cookie that is being used for authorization purposes should only identify the visitor, it should not contain any directly identifying information (even hashed versions of identifying information) and it should not be static. The best value to store in a cookie is a unique id that you then store in the user table for that user. You look up the unique id from the cookie in order to determine who the visitor is and you regenerate the unique id regularly (on every page visit) so that if someone does get that value, there is only a short period of time when they can use it to impersonate the real visitor. The logged in/logged out status should only be determined by a value stored on your server (in the user table) and not by the existence of a cookie or a value in a cookie, so that if someone logs out (or you log them out after a time of inactivity) that the only way for them to become logged in is if they provide their username and password.

sorenchr Member

sorenchr

Posted
  • Author
Posted
  Quote

The value in a cookie that is being used for authorization purposes should only identify the visitor, it should not contain any directly identifying information (even hashed versions of identifying information) and it should not be static. The best value to store in a cookie is a unique id that you then store in the user table for that user. You look up the unique id from the cookie in order to determine who the visitor is and you regenerate the unique id regularly (on every page visit) so that if someone does get that value, there is only a short period of time when they can use it to impersonate the real visitor. The logged in/logged out status should only be determined by a value stored on your server (in the user table) and not by the existence of a cookie or a value in a cookie, so that if someone logs out (or you log them out after a time of inactivity) that the only way for them to become logged in is if they provide their username and password.

 

That makes sense, but what would be the best solution for a unique id?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.