WHy would you store a pasword in a cookie?

rv20 · May 28, 2009

I jus noticed that a site a go to store their users username and encrypted(password) in the cookie. I don'tsee the point, surely the username and password(again it's encrypted) will still have to be stored in a db so that you can write it to the cookie, why would they do this?

MadTechie · May 28, 2009

Its either for a "remember me" or theirs dumbs a@@@@'s IMHO, i would never put a password in a cookie, encrypted or otherwise, they may just know what sessions are!

Daniel0 · May 28, 2009

why would they do this?

Because they're amateurs.

BK87 · May 28, 2009

perhaps for auto login purposes?

MadTechie · May 28, 2009

perhaps for auto login purposes?

yeah a amateur auto login purposes

BK87 · May 28, 2009

I never said it was right to do, just assuming why it would be there

Zane · May 28, 2009

because it's just easy...that's why

rohithreddyk · May 28, 2009

if not cookies then what do you suggest the best way to implement "remember me" feature?

Daniel0 · May 28, 2009

Well, if we turn the question around, how would you do it and what would you need the password for? Answering that question would probably help you along the way.

KevinM1 · May 28, 2009

if not cookies then what do you suggest the best way to implement "remember me" feature?

You're looking at it the wrong way. It's not that cookies shouldn't be used in a 'remember me' system, it's that a user's password shouldn't be stored in the cookie.

rohithreddyk · May 28, 2009

Ok.. I guess I asked it wrong way..I wanted to ask how to implement a feature where once users logs in and then closes the browser..Once he opens the browser again and teh website, "I want the user to be still logged in"... so its like till the user clicks logout button, user should be logged in...

I want this because for the website I am building, there will be only one user(my manager0.. and he doesnt want to login again n again...

MadTechie · May 28, 2009

You could have a cookie with a hash thats generated via a random number and another cookie with the username, (added during login with 'remember me' ticked) at the same time insert these values into a sql table along with user ID, when the user comes back you check to see if those cookies exists then get the userID from the database (VIA the random hash and username table) and assign the the sessions as you would during the login process,

the best the user can do is change his username or the random hash in the cookies but then the UserID won't be found in the sql table thus no login!

Thats a basic idea.. you could add other checks like browser etc but thats the basic idea

EDIT: added a little in red!

rohithreddyk · May 28, 2009

thanks..that helps

Daniel0 · May 28, 2009

Or you could like use the built-in session functionality that takes care of doing things like generating a high entropy ID, storing all the info for you, etc. All you have to do is alter the cookie persistence using session_set_cookie_params.

Also see: http://www.phpfreaks.com/tutorial/sessions-and-cookies-adding-state-to-a-stateless-protocol

rv20 · May 28, 2009

For an auto login if i was using cookies i would just store yes or no in the cookie, the at the top of each *.php page i would have,

<?php

if($_cookie['login'] == "no"){

header("location home.php");
}

But you would really use sessions for this, which are just virtual cookies so to speak.

and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.

Typos in my first post as well.

Philip · May 28, 2009

For an auto login i would just store yes or no in the cookie, the at the top of each *.php page i would have,
<?php

if($_cookie['login'] == "no"){

header("location home.php");
}
and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.

But then how do you know who the user is? Even so if you had the username I could edit my cookies to have your username and "yes"

rv20 · May 28, 2009

For an auto login i would just store yes or no in the cookie, the at the top of each *.php page i would have,
<?php

if($_cookie['login'] == "no"){

header("location home.php");
}
and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.
But then how do you know who the user is? Even so if you had the username I could edit my cookies to have your username and "yes"

Well they login so you check their username in the db and if they check remember me then,

if($_POST['ischecked'] === true){

setcookie("login","yes");

}

or roughly that. Yes i know you an edit the cookie,

javascript:document.cookie='login=yes';

but it's better than actually putting the password in the cookie.

corbin · May 28, 2009

No it's not!

What's to keep me from setting the login flag on my cookie to yes and changing my username to something else?

Nothing.

rv20 · May 28, 2009

No it's not!

What's to keep me from setting the login flag on my cookie to yes and changing my username to something else?

Nothing.

Good point. Well i wouldn't use a cookie anyway, sessions, but you are right of course.

KevinM1 · May 28, 2009

No it's not!

What's to keep me from setting the login flag on my cookie to yes and changing my username to something else?

Nothing.

Good point. Well i wouldn't use a cookie anyway, sessions, but you are right of course.

Sessions still use cookies....

corbin · May 28, 2009

Cookies aren't always unsafe. Blindly trusting cookies, however, is extremely dangerous.

roopurt18 · May 28, 2009

It's not a huge concern that sessions use cookies. It's much harder to hijack a session than it is to exploit a poorly designed 'Remember Me' feature. In any case, the only ways I know of to hijack a session are:

1) Compromise the server's security

2) Listen to communication between client and server

3) Have a trojan or spyware installed on the client

#1 should be nigh impossible.

#2 can be avoided using SSL.

#3 should only compromise any users who happen to use that machine, and there's not much you can do about it as the owner of a web site.

corbin · May 28, 2009

"#2 can be avoided using SSL."

Even with SSL a man in the middle attack could be done. That's not very common though.

KevinM1 · May 28, 2009

I still wouldn't attempt to store a password in a session. Other 'remember me' info? Sure. But I'm pretty anal retentive about keeping user passwords safe.

Daniel0 · May 28, 2009

You needn't store anything other than the user ID (or username if you prefer that). As for "remember me", you can, as previously mentioned, just set an expiration date on the session cookie. When someone requests a page with a valid session active you just get the user info based on the ID/username.

Sign In

WHy would you store a pasword in a cookie?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information