Sequre login with cookies.

[ram4nd]

I want to build secure login with cookies. I just want your ideas about this, your suggestions. What fields should go to sql table, after username and password? How to keep data in cookies safely? And so on...

[Dorky]

ctype_alnum  as well as min and max char requirements.

[ram4nd]

ctype_alnum is about registering. But min and max are a start.

 

1) Username min 3 char, max 12

2) Password min 6, max 15

 

I have to make a hash from that password, what is the most secure hash? What kind of a data should I keep in cookie, cause it's on client side. Should I save ip on every login. Like if user types 5 times password wrong, then do something.

[Dorky]

no sir you need to check char type on all forms where applicable to keep the form from being a point of attack not just at one point. 

ctype_alnum is about registering. But min and max are a start.

 

1) Username min 3 char, max 12

2) Password min 6, max 15

 

I have to make a hash from that password, what is the most secure hash? What kind of a data should I keep in cookie, cause it's on client side. Should I save ip on every login. Like if user types 5 times password wrong, then do something.

[ram4nd]

ou yes, i have a function for that, but i guess this is even faster cause no request to sql will be made. Thank you.

[waynewex]

Can you not use session variables instead? They're on the server's side, so they are far more secure.

[ram4nd]

I want to use both, session and cookie, so that people who want can stay in longer, and who doesn't or who has turned cookies of can still sign in. Or in that case i could just use cookies?

[waynewex]

Cookies are not as secure as sessions. Cookies should really only be used in correlation with session variables.

[ram4nd]

so the question is that how to use a cookie safely.

[waynewex]

By not storing anything important in it. Or at the very least have a script on your server that makes sure cookie values are legit and that they're correct.

[ram4nd]

I will make remember me checkbox, default is not selected and in () ill write that this is unsecure don't use in public computers, bla bla bla

[Dorky]

Cookies are not as secure as sessions. Cookies should really only be used in correlation with session variables.

i found out the hard way sessions still require a cookie. so a session based sign in will not work with cookies turned off. the idea they are fully server side is a misconception and using $_GET or $_POST to pass the variable is not secure and an invite for hacks. i use sessions in all my sign ins without setting extra cookies, only the one set by session. i use char limits and requirements and life is good. a chat site i regular got hacked the other day and threats were made against my chatroom but im still up and running even after my logs showed an attempt to run a script on my site.

[ram4nd]

Good to know that session requires a cookie.