Jump to content

Warning: hex2bin(): Input string must be hexadecimal string in


bravo14
 Share

Go to solution Solved by requinix,

Recommended Posts

I am using the code below, to encrypt  cookie, but the hex2bin is generating the following error

 

Warning: hex2bin(): Input string must be hexadecimal string in

 

 $key = hex2bin(openssl_random_pseudo_bytes(4));
   $cipher = "aes-256-cbc";
   $ivlen = openssl_cipher_iv_length($cipher);
   $iv = openssl_random_pseudo_bytes($ivlen);

   $ciphertext = openssl_encrypt($value, $cipher, $key, 0, $iv);

   return( base64_encode($ciphertext . '::' . $iv. '::' .$key) );

Can anyone point me in the right firection to correct this?

Link to comment
Share on other sites

  • Solution

You should find another tutorial: the code they've convinced you to use is... well, it's silly. It pointlessly uses encryption for something that doesn't need to use encryption.

If you want a remember me cookie then all you need is to store a long random token in your database and associate it with the user - preferably in one-to-many form so the user can have multiple tokens for multiple devices. Store it in the browser with the Secure and HttpOnly flags. Then, every time the token is used to log someone in, you generate a new token and replace the old one.

  • Like 1
Link to comment
Share on other sites

Just a bit of advice.  A remember me cookie is one of the most dangerous features you can have in your site. 

While the code you started with made no sense, and Requinix's suggestion is an improvement here's a couple of practical warnings for you. 

You also want to make sure that you are setting the remember me cookie so that it implements:

  • the secure flag
    • Can only be sent over an https connection
  • the http only flag
    • Prevents it from being read by javascript

In conclusion, don't underestimate the security dangers of implementing remember me cookies.  You should maintain in your system some sort of session variable status that designates whether a user was authenticated by the remember me system, or whether the user was authenticated with username/password.

The reason to do this, is that you can code around privilege escalation better.  Things you might want to protect against:

  • An admin equivalent user using any administrative function
    • Make them supply the account password.
    • Regenerate session
    • Regenerate remember me
  • Any change to the user profile
    • Contact, email, password, 2 factor auth, phone #'s etc
      • Same as above, password re-auth, regen session, revalidate

Anytime a user authenticates with their password, you should clear the existing remember me value, and if appropriate, re-compute a new one and set it as a new cookie.  You don't ever want a user to be able to login with a remember me cookie, if the same user has logged in with a password.  At that point, the stored remember me value should either be cleared, or set to some new value.  You also want to make sure that a user can never login with a null/empty remember me cookie value.

Using some of these ideas along with JWT token creation/signing is a more sophisticated approach, but there are a number of details involved in that I don't plan to get into, but increase the safety of the remember me token, so you might want to do some research into JWT's as well.  Doing any of this wrong/ineptly and you can easily introduce a major security problem for your system. 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.