Login system with cookies

[doddsey_65]

Since it appears my login system is broken i have been trying to fix it. The problem is that it isnt loggin people in. This is what im doing:

 

The user visits login.php

they enter their details and click login

the posted data gets sent to login_process.php via jQuery

login_process.php checks to see if the details are correct

if they are it sets a cookie called uid with their user id

if they clicked the remember me box then this cookie is set for a year

if not then it is set as a session cookie

login_process echos a success back to the jQuery in login.php

when jQuery gets this success status it redirects to login_success.php

the user should now be logged in.

to show a logged in user i echo their username by running a query on the cookie uid

 

but somewhere along the lines cookie uid isnt being set so the user is never logged in.

 

here is the code:(shortened)

 

$username = $_POST['user_name'];
    $password = asf_hash($_POST['password']);
    $remember_me = $_POST['remember_me'];
//check the values with a query then:

if($remember_me == 'yes' && !isset($_COOKIE['uid']))
                    {
                        setcookie('uid', $_SESSION['uid'], time()+(((60*60)*24)*365));
                    }
                    elseif($remember_me == 'no' && !isset($_COOKIE['uid']))
                    {
                        setcookie('uid', $_SESSION['uid'], 0);
                    }
                    else
                    {
                        setcookie('uid', '', time()-3600);
                    }

 

login_success just contains a like to go back to the page they were originally viewing.

 

and in my init script which is run when a page loads:

 

$user = new user;
$user->setup($_COOKIE['uid']); // this basically sets info like the username and such from a query run on the cookie.

 

so why isnt the cookie being set? any ideas? also any ideas on making this more secure if it isnt?

 

Thanks

[btherl]

You really should be using sessions.  The login method you are using allows your users to impersonate any other user just by changing the cookie value.

 

I'm also a bit stumped as to why you would be putting the user id from the session into a cookie - if it's already in the session, what benefit is there to putting in a cookie as well?

[nicholasolsen]

As mentioned, using cookies this way is a severe security risk for your registered users as whoever easily can change their userid.

 

 

Heres what I would do:

 

Put all critical informations in sessions. This would easily fix your login problem.

 

 

 

Some other information you might want to take into consideration:

 

When logging in, create a cookie with a timestamp and a hashed userid (md5 is prefered).

For this to be secure be sure to use randomized userids from 10000 to 9999999999.

Explanation follows:

 

When registering users, use:

$signUp_userid= rand(10000,9999999999);

Make sure you add some lines of code to avoid, the nearly impossible, two equal userids being generated (The propability of this happening is 1:3 486 784 401).

By using this way of generating userids its not possible for any hacker to guess the userids. In most other registration systems i have come across the userids are generated from 1 and upwards.

 

When the user is logging in, set a cookie that contains a timestamp (for how long they want to be remembered), and a hashed userid.

 

$timestamp = how_long_they_want_to_be_logged_in;
$md5_userid= md5($signUp_userid);

 

By setting a cookie this way it is impossible for a hacker to crack the userid he want (unless he spends some odd years encrypting the 3 billion possibilities mentioned earlier).

The cookie can easily be connected to the user by crossreferencing the md5-hash in the cookie with the original userid.

[btherl]

The probability of any two user ids matching would be 1 in 9,999,989,999 using that code, around 32 bits.  But because of the birthday paradox, you would have a 50% chance of a collision after around 77,000 users have registered. ( http://en.wikipedia.org/wiki/Birthday_problem#Probability_table ).  So the check for generating an already existing user id is important.

 

For this to be effective, you'll have to make sure the real user id is well hidden, and doesn't appear in links on the site, even in the HTML source.