ram4nd Posted October 17, 2009 Share Posted October 17, 2009 I want to build secure login with cookies. I just want your ideas about this, your suggestions. What fields should go to sql table, after username and password? How to keep data in cookies safely? And so on... Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/ Share on other sites More sharing options...
Dorky Posted October 17, 2009 Share Posted October 17, 2009 ctype_alnum as well as min and max char requirements. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938661 Share on other sites More sharing options...
ram4nd Posted October 17, 2009 Author Share Posted October 17, 2009 ctype_alnum is about registering. But min and max are a start. 1) Username min 3 char, max 12 2) Password min 6, max 15 I have to make a hash from that password, what is the most secure hash? What kind of a data should I keep in cookie, cause it's on client side. Should I save ip on every login. Like if user types 5 times password wrong, then do something. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938688 Share on other sites More sharing options...
Dorky Posted October 17, 2009 Share Posted October 17, 2009 no sir you need to check char type on all forms where applicable to keep the form from being a point of attack not just at one point. ctype_alnum is about registering. But min and max are a start. 1) Username min 3 char, max 12 2) Password min 6, max 15 I have to make a hash from that password, what is the most secure hash? What kind of a data should I keep in cookie, cause it's on client side. Should I save ip on every login. Like if user types 5 times password wrong, then do something. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938694 Share on other sites More sharing options...
ram4nd Posted October 17, 2009 Author Share Posted October 17, 2009 ou yes, i have a function for that, but i guess this is even faster cause no request to sql will be made. Thank you. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938709 Share on other sites More sharing options...
waynew Posted October 17, 2009 Share Posted October 17, 2009 Can you not use session variables instead? They're on the server's side, so they are far more secure. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938717 Share on other sites More sharing options...
ram4nd Posted October 17, 2009 Author Share Posted October 17, 2009 I want to use both, session and cookie, so that people who want can stay in longer, and who doesn't or who has turned cookies of can still sign in. Or in that case i could just use cookies? Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938724 Share on other sites More sharing options...
waynew Posted October 17, 2009 Share Posted October 17, 2009 Cookies are not as secure as sessions. Cookies should really only be used in correlation with session variables. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938725 Share on other sites More sharing options...
ram4nd Posted October 17, 2009 Author Share Posted October 17, 2009 so the question is that how to use a cookie safely. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938729 Share on other sites More sharing options...
waynew Posted October 17, 2009 Share Posted October 17, 2009 By not storing anything important in it. Or at the very least have a script on your server that makes sure cookie values are legit and that they're correct. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938730 Share on other sites More sharing options...
ram4nd Posted October 17, 2009 Author Share Posted October 17, 2009 I will make remember me checkbox, default is not selected and in () ill write that this is unsecure don't use in public computers, bla bla bla Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938736 Share on other sites More sharing options...
Dorky Posted October 17, 2009 Share Posted October 17, 2009 Cookies are not as secure as sessions. Cookies should really only be used in correlation with session variables. i found out the hard way sessions still require a cookie. so a session based sign in will not work with cookies turned off. the idea they are fully server side is a misconception and using $_GET or $_POST to pass the variable is not secure and an invite for hacks. i use sessions in all my sign ins without setting extra cookies, only the one set by session. i use char limits and requirements and life is good. a chat site i regular got hacked the other day and threats were made against my chatroom but im still up and running even after my logs showed an attempt to run a script on my site. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938739 Share on other sites More sharing options...
ram4nd Posted October 17, 2009 Author Share Posted October 17, 2009 Good to know that session requires a cookie. Link to comment https://forums.phpfreaks.com/topic/178027-sequre-login-with-cookies/#findComment-938754 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.