Jump to content

Recommended Posts

I want to put a cookie on a users system so that the next time they go to the site it logs them straight on

My site requires username and password to login...

Is this the best way to authenticate a user from a cookie, put this in a cookie

username:passwordmd5hash

Basically when they access the site the cookie will be read, username extracted and then the passwordhash compared to that which is stored in the database

If its correct then we know its valid?
Link to comment
https://forums.phpfreaks.com/topic/29466-remember-me-cookie/
Share on other sites

why people insist in storing sensitive data (encrypted or not) in a cookie is beyond me.

I generate a random string of say 15 characters which I store in a table against the users unique id.  store that string in a cookie and just check it each time they arrive at the site.

Don't give people authporized by cookies access to the account profile or anyother sensitve area - make them put their password in to get into these places. They should appreciate both the convient sigin AND the security on their sensitive info.
Link to comment
https://forums.phpfreaks.com/topic/29466-remember-me-cookie/#findComment-135244
Share on other sites

have they decrypted md5 yet?????

What if its a shared computer - like on a university network or internet cafe? they don't need to steal it then - its there for them to see - and use!

It doesn't matter what encryption you have if the cookie is copied then when the new pc the cookie has been copied to accesses the site login will be successful.  Which is why you should make sure they HAVE to enter login details to access sensitive areas. ebay use exactly that system.
Link to comment
https://forums.phpfreaks.com/topic/29466-remember-me-cookie/#findComment-135254
Share on other sites

[quote author=jaymc link=topic=117367.msg478857#msg478857 date=1165282255]
I have actually got it so when accessing profile info and change password they need to re enter their password

So basically, is it ok to use their md5 hash as a method of confirming the cookie hasnt been forged..
[/quote]

No, it is not! MD5 is a one-way hash which cannot be truely decrypted because there are only a finite number of hashes but you can encrypt an infinite number of values. However, there are lookup tables that contain the MD5 hash of thousands, if not millions, of hashes for common words and phrases. If a user used a weak password, chances are someone could easily find their password using such a lookup table.

Youu should use a uniqu identifier that IS NOT the users MD5 hashed password. Doing anything less is just being lazy and not fulfilling your obligation to the user of the protection that you implied by creating a passworded system.
Link to comment
https://forums.phpfreaks.com/topic/29466-remember-me-cookie/#findComment-135327
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.