The Little Guy Posted February 24, 2009 Share Posted February 24, 2009 When creating a "Remember Me" checkbox, I read to save the username/password in a cookie with the user name and the md5 encrypted password. Is this safe? If not what would be a/the proper way to do this? Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/ Share on other sites More sharing options...
trq Posted February 24, 2009 Share Posted February 24, 2009 Why would you need the password stored within the cookie? My login systems usually use a unique identifier (md5'd) , username and password (md5'd). I store the uid in a remember me cookie but reset the uid upon each login. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-769862 Share on other sites More sharing options...
The Little Guy Posted February 24, 2009 Author Share Posted February 24, 2009 what If I create an authentication code when the user signs up, and md5 that along with the users id? for example: $md5 = md5(mysql_insert_id().$_POST['username'].$_POST['password'].rand(10,99).time()); // Users unique id Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-769873 Share on other sites More sharing options...
trq Posted February 24, 2009 Share Posted February 24, 2009 Yeah you could use something like that. I however recreate any id's and regenerate any remember me cookie upon each fresh login. This way the remember me cookie is only valid for 1 login. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-769874 Share on other sites More sharing options...
The Little Guy Posted February 24, 2009 Author Share Posted February 24, 2009 OK, I could do that, and just modify the time and rand number at the end. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-769875 Share on other sites More sharing options...
Q695 Posted February 24, 2009 Share Posted February 24, 2009 <input type="checkbox" value="1" name="remember"> Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-769891 Share on other sites More sharing options...
Q695 Posted February 24, 2009 Share Posted February 24, 2009 There is also a security flaw that has been hacked with hash variables, and MD5. passwords are automatically encrypted if you use the password type. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-769892 Share on other sites More sharing options...
trq Posted February 24, 2009 Share Posted February 24, 2009 There is also a security flaw that has been hacked with hash variables, and MD5. passwords are automatically encrypted if you use the password type. These two comments and your previous reply make no sense. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-769947 Share on other sites More sharing options...
Q695 Posted February 24, 2009 Share Posted February 24, 2009 Look at http://en.wikipedia.org/wiki/MD5 Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-770300 Share on other sites More sharing options...
trq Posted February 24, 2009 Share Posted February 24, 2009 That means very little. Rainbow tables are near useless with a salt. What did you mean by this comment? passwords are automatically encrypted if you use the password type. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-770476 Share on other sites More sharing options...
Q695 Posted February 24, 2009 Share Posted February 24, 2009 input type=password Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-770541 Share on other sites More sharing options...
Maq Posted February 24, 2009 Share Posted February 24, 2009 passwords are automatically encrypted if you use the password type. Lol, No they're not... I hope this isn't how you set up any of your systems... The characters are replaced with dots when you type, but that's not considered encrypted... Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-770548 Share on other sites More sharing options...
Q695 Posted February 25, 2009 Share Posted February 25, 2009 Why did a college professor lie to me about it then? Why wouldn't password automatically encrypt the data when sending it? Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-770681 Share on other sites More sharing options...
trq Posted February 25, 2009 Share Posted February 25, 2009 Why did a college professor lie to me about it then? Probably wasn't a lie, he just didn't know what he was talking about. Why wouldn't password automatically encrypt the data when sending it? Because thats not what it does nor has it ever been its intended purpose. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-770695 Share on other sites More sharing options...
Maq Posted February 25, 2009 Share Posted February 25, 2009 Why did a college professor lie to me about it then? Why wouldn't password automatically encrypt the data when sending it? Lol, I highly doubt the professor was lying to you... You probably weren't paying attention or didn't understand what the professor was talking about so you just made an assumption. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-770973 Share on other sites More sharing options...
GingerRobot Posted February 25, 2009 Share Posted February 25, 2009 Meh, i could quite easily believe the teacher had no idea what they were talking about. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-770974 Share on other sites More sharing options...
premiso Posted February 25, 2009 Share Posted February 25, 2009 Agreed. This is not a lie, just he was just a substance of a bad book and never bothered to update himself on new security tactics. I used to do that too for my sites, now I know how sessions work and I store a hash for "loggedin" in a cookie if remember me is checked and this is stored in the DB for that user. If his time expired or that session was changed it is trashed. If he comes back on validly then I regenerate a new hash at that time and update the cookie. But as stated, he did not lie. He is just mis-informed. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771016 Share on other sites More sharing options...
The Little Guy Posted February 25, 2009 Author Share Posted February 25, 2009 passwords are automatically encrypted if you use the password type. I also agree with everyone that the password isn't auto encrypted for these reasons: A. The server wouldn't be able to decrypt it and read: if($_POST['pass'] == 'xxx') B. SSL would be useless. C. There wouldn't be password encryption tutorials on the internet. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771334 Share on other sites More sharing options...
Q695 Posted February 26, 2009 Share Posted February 26, 2009 So password doesn't operate on the SSL layer? Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771562 Share on other sites More sharing options...
trq Posted February 26, 2009 Share Posted February 26, 2009 So password doesn't operate on the SSL layer? It has nothing to do with ssl. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771564 Share on other sites More sharing options...
trq Posted February 26, 2009 Share Posted February 26, 2009 Try this for an example. <form method="post"> <input type="password" name="test"> <input type="submit"> </form> <?php echo isset($_POST['test']) ? $_POST['test'] : '' ?> Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771566 Share on other sites More sharing options...
corbin Posted February 26, 2009 Share Posted February 26, 2009 So password doesn't operate on the SSL layer? Errr the SSL layer is only there when it's accessed over HTTPS... Hence the S in HTTPS. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771585 Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Author Share Posted February 26, 2009 As I was implementing this, I ran across this problem... Since I am regenerating a new Cookie value every time auto login only works on one computer. So, lets say I tell the site to remember my login, it logs in every time fine. Now lets say I go to a new computer and I want that computer to also "Remember Me", now that computer will remember me, but the other one will not. Any suggestions for this problem? Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771655 Share on other sites More sharing options...
trq Posted February 26, 2009 Share Posted February 26, 2009 There is no soltuion to that problem. That type of remember me will only work from one pc at a time. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771664 Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Author Share Posted February 26, 2009 So... I guess I will have to make it so it doesn't change the Cookie every time. Quote Link to comment https://forums.phpfreaks.com/topic/146640-remember-me/#findComment-771669 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.