Hall of Famer Posted August 27, 2011 Share Posted August 27, 2011 Well the script originally has these lines: $Month = 2592000 + time(); setcookie("auser",$username,$Month); setcookie("apass",$password,$Month); And someone pointed out it has security issues. Id like to ask why using "auser" and "apass" is insecure for PHP sites? What can I do to improve it? Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 28, 2011 Share Posted August 28, 2011 You should not store the user's password in a cookie. Anyone with access to the user's computer could access the cookie and see the password. Use something else, such as a hash of the password. Granted, someone could copy the cookie to their PC and access the site as that user, but they would not have the user's password. Since so many people reuse passwords among different sites - exposing the password is much worse than someone getting access as that user to just one site. And, for that matter, I wouldn't store the username either. Just set a value for the user id or something that would have no meaning to someone who analyzes the cookie data. Quote Link to comment Share on other sites More sharing options...
Hall of Famer Posted August 28, 2011 Author Share Posted August 28, 2011 I see, so use user ID instead of username? And btw the $password is already encrypted with sha512, I did not quote the entire script, sorry. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.