Remember me (cookie)

[jaymc]

I want to put a cookie on a users system so that the next time they go to the site it logs them straight on

My site requires username and password to login...

Is this the best way to authenticate a user from a cookie, put this in a cookie

username:passwordmd5hash

Basically when they access the site the cookie will be read, username extracted and then the passwordhash compared to that which is stored in the database

If its correct then we know its valid?

[fert]

you can't know it's valid, because you can edit cookie values so create a unique ID for each person and put that in the cookie.

[jaymc]

But the unique ID will essentially be their password hash...

[ToonMariner]

why people insist in storing sensitive data (encrypted or not) in a cookie is beyond me.

I generate a random string of say 15 characters which I store in a table against the users unique id.  store that string in a cookie and just check it each time they arrive at the site.

Don't give people authporized by cookies access to the account profile or anyother sensitve area - make them put their password in to get into these places. They should appreciate both the convient sigin AND the security on their sensitive info.

[jaymc]

I see what your saying

but the password is hashed... md5

Would take someone to get onto their PC, steal the cookie and then take it home to decrypt right?

[fert]

What i meant was like for each user make a unique ID like gry6e373hjhedy63wyuwhw72 and store that in the cookie so you could do:
[code]
$sql="SELECT * FROM `users` WHERE `id`='$_COOKIE[user]'";[/code]

[ToonMariner]

have they decrypted md5 yet?????

What if its a shared computer - like on a university network or internet cafe? they don't need to steal it then - its there for them to see - and use!

It doesn't matter what encryption you have if the cookie is copied then when the new pc the cookie has been copied to accesses the site login will be successful.  Which is why you should make sure they HAVE to enter login details to access sensitive areas. ebay use exactly that system.

[jaymc]

I have actually got it so when accessing profile info and change password they need to re enter their password

So basically, is it ok to use their md5 hash as a method of confirming the cookie hasnt been forged..

[Psycho]

[quote author=jaymc link=topic=117367.msg478857#msg478857 date=1165282255]
I have actually got it so when accessing profile info and change password they need to re enter their password

So basically, is it ok to use their md5 hash as a method of confirming the cookie hasnt been forged..
[/quote]

No, it is not! MD5 is a one-way hash which cannot be truely decrypted because there are only a finite number of hashes but you can encrypt an infinite number of values. However, there are lookup tables that contain the MD5 hash of thousands, if not millions, of hashes for common words and phrases. If a user used a weak password, chances are someone could easily find their password using such a lookup table.

Youu should use a uniqu identifier that IS NOT the users MD5 hashed password. Doing anything less is just being lazy and not fulfilling your obligation to the user of the protection that you implied by creating a passworded system.

[jaymc]

Ok, I'll take up your advice and use something else in the database to authenticate the cookie :)