Hall of Famer Posted August 27, 2011 Share Posted August 27, 2011 Well the script originally has these lines: $Month = 2592000 + time(); setcookie("auser",$username,$Month); setcookie("apass",$password,$Month); And someone pointed out it has security issues. Id like to ask why using "auser" and "apass" is insecure for PHP sites? What can I do to improve it? Link to comment https://forums.phpfreaks.com/topic/245843-cookies-and-security/ Share on other sites More sharing options...
Psycho Posted August 28, 2011 Share Posted August 28, 2011 You should not store the user's password in a cookie. Anyone with access to the user's computer could access the cookie and see the password. Use something else, such as a hash of the password. Granted, someone could copy the cookie to their PC and access the site as that user, but they would not have the user's password. Since so many people reuse passwords among different sites - exposing the password is much worse than someone getting access as that user to just one site. And, for that matter, I wouldn't store the username either. Just set a value for the user id or something that would have no meaning to someone who analyzes the cookie data. Link to comment https://forums.phpfreaks.com/topic/245843-cookies-and-security/#findComment-1262708 Share on other sites More sharing options...
Hall of Famer Posted August 28, 2011 Author Share Posted August 28, 2011 I see, so use user ID instead of username? And btw the $password is already encrypted with sha512, I did not quote the entire script, sorry. Link to comment https://forums.phpfreaks.com/topic/245843-cookies-and-security/#findComment-1262709 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.