Warning: hex2bin(): Input string must be hexadecimal string in

[bravo14]

I am using the code below, to encrypt  cookie, but the hex2bin is generating the following error

 

Warning: hex2bin(): Input string must be hexadecimal string in

 

 $key = hex2bin(openssl_random_pseudo_bytes(4));
   $cipher = "aes-256-cbc";
   $ivlen = openssl_cipher_iv_length($cipher);
   $iv = openssl_random_pseudo_bytes($ivlen);

   $ciphertext = openssl_encrypt($value, $cipher, $key, 0, $iv);

   return( base64_encode($ciphertext . '::' . $iv. '::' .$key) );

Can anyone point me in the right firection to correct this?

[requinix]

hex2bin converts a hexadecimal string into a binary string. Is that what you want to do? Convert a hexadecimal string into a binary string?

[bravo14]

I found it on a tutorial to store a remember me cookie.  I am not sure if the openssl_random_pseudo_bytes(4) part of the function is generating anything

[requinix]

You should find another tutorial: the code they've convinced you to use is... well, it's silly. It pointlessly uses encryption for something that doesn't need to use encryption.

If you want a remember me cookie then all you need is to store a long random token in your database and associate it with the user - preferably in one-to-many form so the user can have multiple tokens for multiple devices. Store it in the browser with the Secure and HttpOnly flags. Then, every time the token is used to log someone in, you generate a new token and replace the old one.

[bravo14]

Oh ok, that sounds easier.  I'll give it a try.

[gizmola]

Just a bit of advice.  A remember me cookie is one of the most dangerous features you can have in your site. 

While the code you started with made no sense, and Requinix's suggestion is an improvement here's a couple of practical warnings for you. 

You also want to make sure that you are setting the remember me cookie so that it implements:

• the secure flag
  • Can only be sent over an https connection
• the http only flag
  • Prevents it from being read by javascript

In conclusion, don't underestimate the security dangers of implementing remember me cookies.  You should maintain in your system some sort of session variable status that designates whether a user was authenticated by the remember me system, or whether the user was authenticated with username/password.

The reason to do this, is that you can code around privilege escalation better.  Things you might want to protect against:

• An admin equivalent user using any administrative function
  • Make them supply the account password.
  • Regenerate session
  • Regenerate remember me
• Any change to the user profile
  • Contact, email, password, 2 factor auth, phone #'s etc
    • Same as above, password re-auth, regen session, revalidate

Anytime a user authenticates with their password, you should clear the existing remember me value, and if appropriate, re-compute a new one and set it as a new cookie.  You don't ever want a user to be able to login with a remember me cookie, if the same user has logged in with a password.  At that point, the stored remember me value should either be cleared, or set to some new value.  You also want to make sure that a user can never login with a null/empty remember me cookie value.

Using some of these ideas along with JWT token creation/signing is a more sophisticated approach, but there are a number of details involved in that I don't plan to get into, but increase the safety of the remember me token, so you might want to do some research into JWT's as well.  Doing any of this wrong/ineptly and you can easily introduce a major security problem for your system.