Remember Me

[The Little Guy]

When creating a "Remember Me" checkbox, I read to save the username/password in a cookie with the user name and the md5 encrypted password. Is this safe? If not what would be a/the proper way to do this?

[trq]

Why would you need the password stored within the cookie?

 

My login systems usually use a unique identifier (md5'd) , username and password (md5'd). I store the uid in a remember me cookie but reset the uid upon each login.

[The Little Guy]

what If I create an authentication code when the user signs up, and md5 that along with the users id?

 

for example:

 

$md5 = md5(mysql_insert_id().$_POST['username'].$_POST['password'].rand(10,99).time()); // Users unique id

[trq]

Yeah you could use something like that.

 

I however recreate any id's and regenerate any remember me cookie upon each fresh login. This way the remember me cookie is only valid for 1 login.

[The Little Guy]

OK, I could do that, and just modify the time and rand number at the end.

[Q695]

<input type="checkbox" value="1" name="remember">

[Q695]

There is also a security flaw that has been hacked with hash variables, and MD5.

 

passwords are automatically encrypted if you use the password type.

[trq]

There is also a security flaw that has been hacked with hash variables, and MD5.

 

passwords are automatically encrypted if you use the password type.

 

These two comments and your previous reply make no sense.

[Q695]

Look at http://en.wikipedia.org/wiki/MD5

[trq]

That means very little. Rainbow tables are near useless with a salt.

 

What did you mean by this comment?

 

passwords are automatically encrypted if you use the password type.

[Q695]

input type=password

[Maq]

passwords are automatically encrypted if you use the password type.

 

Lol, No they're not...  I hope this isn't how you set up any of your systems...

 

The characters are replaced with dots when you type, but that's not considered encrypted...

[Q695]

Why did a college professor lie to me about it then?  Why wouldn't password automatically encrypt the data when sending it?

[trq]

Why did a college professor lie to me about it then?

 

Probably wasn't a lie, he just didn't know what he was talking about.

 

Why wouldn't password automatically encrypt the data when sending it?

 

Because thats not what it does nor has it ever been its intended purpose.

[Maq]

Why did a college professor lie to me about it then?  Why wouldn't password automatically encrypt the data when sending it?

 

Lol, I highly doubt the professor was lying to you...  You probably weren't paying attention or didn't understand what the professor was talking about so you just made an assumption.

[GingerRobot]

Meh, i could quite easily believe the teacher had no idea what they were talking about.

[premiso]

Agreed. This is not a lie, just he was just a substance of a bad book and never bothered to update himself on new security tactics. I used to do that too for my sites, now I know how sessions work and I store a hash for "loggedin" in a cookie if remember me is checked and this is stored in the DB for that user. If his time expired or that session was changed it is trashed. If he comes back on validly then I regenerate a new hash at that time and update the cookie.

 

But as stated, he did not lie. He is just mis-informed.

[The Little Guy]

passwords are automatically encrypted if you use the password type.

 

I also agree with everyone that the password isn't auto encrypted for these reasons:

 

A. The server wouldn't be able to decrypt it and read: if($_POST['pass'] == 'xxx')

B. SSL would be useless.

C. There wouldn't be password encryption tutorials on the internet.

[Q695]

So password doesn't operate on the SSL layer?

[trq]

So password doesn't operate on the SSL layer?

 

It has nothing to do with ssl.

[trq]

Try this for an example.

 

<form method="post">
  <input type="password" name="test">
  <input type="submit">
</form>
<?php echo isset($_POST['test']) ? $_POST['test'] : '' ?>

[corbin]

So password doesn't operate on the SSL layer?

 

 

Errr the SSL layer is only there when it's accessed over HTTPS...  Hence the S in HTTPS.

[The Little Guy]

As I was implementing this, I ran across this problem...

 

Since I am regenerating a new Cookie value every time auto login only works on one computer.

 

So, lets say I tell the site to remember my login, it logs in every time fine. Now lets say I go to a new computer and I want that computer to also "Remember Me", now that computer will remember me, but the other one will not.

 

Any suggestions for this problem?

[trq]

There is no soltuion to that problem. That type of remember me will only work from one pc at a time.

[The Little Guy]

So... I guess I will have to make it so it doesn't change the Cookie every time.