Problem With Encrypting Cookies

[Stefany93]

Hello,

 

I am creating a forum and I have put a "Remember me" box next to the login form that basically remembers the user's password and username by writing it to cookies and giving it 1 year expiration date. So far so good, but I read that is it dangerous to store the user username and password in plain text in cookies so I decided to encrypt them and here where the problems started.

 

Here is the code I use for encrypting cookies:

 

 

if(isset($_POST['remember']) and !empty($_POST['remember'])){
$remember = $_POST['remember'];
// encryping the username

$username_cookie = serialize($username);
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$key = 'key';
$encrypted_username = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $username_cookie, MCRYPT_MODE_CBC, $iv);
setcookie('username',$encrypted_username.':'.$iv,time() + 31536000);

// encrypting the password
$password_cookie = serialize($password);
$iv_size_pass = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$iv_pass = mcrypt_create_iv($iv_size_pass, MCRYPT_RAND);
$encrypted_password = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $password_cookie, MCRYPT_MODE_CBC, $iv_pass);
setcookie('password',$encrypted_password.':'.$iv_pass,time() + 31536000);

}

 

 

So the code above encrypts the username and the password cookies.

 

Later when the user returns to the page, they have the username and the password populated in the login form automatically for them so they can login only by clicking the button "Submit"

 

Here is the code I use to decrypt the cookies. I decrypt the username cookie on the login page and the password cookie I leave it encrypted and decrypted it later when the user clicks "Submit"

 

//decrypting the username cookie
if(isset($_COOKIE['username'], $_COOKIE['password'])){
list($encrypted_username, $iv) = explode(':', $_COOKIE['username']);
$raw_cookie1 = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, 'key', $encrypted_username, MCRYPT_MODE_CBC, $iv);
$cookie1 = unserialize($raw_cookie1);

}

 

And here I decrypt the password cookie on the login process page:

 

list($encrypted_password, $iv_pass) = explode(':',$_COOKIE['password']);
$raw_cookie2 = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, 'key', $encrypted_password, MCRYPT_MODE_CBC, $iv_pass);
$password = unserialize($raw_cookie2);
$password = sha1($password);

 

 

So far so good, everything works normally, but sometimes, not every time, but sometimes when the user tries to log in using cookies to automatically populate the login forms for them, they get this error:

 

 

Warning: mcrypt_decrypt() [function.mcrypt-decrypt]: The IV parameter must be as long as the blocksize in C:\xampp\htdocs\forum\login.php on line 60

 

 

Notice: unserialize() [function.unserialize]: Error at offset 0 of 32 bytes in C:\xampp\htdocs\forum\login.php on line 61

 

And naturally, the user can't log in. Sometimes they get no error while signing in, but when they do sign in, they get another error:

 

 

Warning: mcrypt_decrypt() [function.mcrypt-decrypt]: The IV parameter must be as long as the blocksize inC:\xampp\htdocs\forum\html\head.php on line 26

 

Notice: unserialize() [function.unserialize]: Unexpected end of serialized data in C:\xampp\htdocs\forum\html\head.php on line 27

 

Notice: unserialize() [function.unserialize]: Error at offset 0 of 32 bytes in C:\xampp\htdocs\forum\html\head.php on line 27

 

 

And after this error the cookies won't work the next time the user visits the website when clicked "Remember me"

 

So could you please give me some clue why sometimes

it gives me this error and sometimes it works perfectly fine. I am really lost.

 

If you need more code, please let me know and I will provide it.

 

Thank you very much!

 

Best Regards

Stefany

Edited November 25, 2012 by Stefany93

[Stefany93]

Terribly sorry for posting in the wrong section. May the staff relocate the thread, please!

[iarp]

I can't help with the exact error you're getting, but this is what we use to store temporary data in cookies and such. It works, and never had errors from it thus far.

 

function encrypt($string) {
   $key = 'my passphrase';
   $encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
   return $encrypted;
}
function decrypt($string) {
   $key = 'my passphrase';
   return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($string), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
}

[Christian F.]

You don't want to save the password in the cookies at all.

Instead generate a random token value, from a sufficiently random source and with a proper length. mcrypt_create_iv () should work fine for this, as long as you remember to use base64_encode () on it. I'd also recreate this key on each pageload, so that you can be relatively certain that it's protected against cookie sniffing. At the very least the system will notice that someone is trying to log in with an expired/non-existing token, if a legit user logs in after someone has successfully sniffed the cookie before the value changed.

 

On first pageload, if the user is not already logged in: Check for the cookie, and if it's set check it's value against the value saved in the DB. Preferably save the user ID as well, hashed if you like, so that you have two pieces of data to accurately select the correct session with.

[Stefany93]

Sorry for the late reply everyone, thank you very much for the help. I applied base64_encode and it worked great like you said!

 

Christian, thank you very much for the great idea to automatically login the user when cookies are detected.