Jump to content


Photo

Crypt Cookie Help!


  • Please log in to reply
8 replies to this topic

#1 salomon

salomon
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 07 March 2006 - 03:01 PM

Okay, so I got a huge problem. I'm quite new at this cookie thing so...Anyway I got a login page saving the password and username you enter as cookies right. Everything is connected to a MSQL database. I currently use following code for saving my cookies:

$password=crypt($insertpassword);
setcookie("uname", "$userid", time()+9999999999999999999999999, "/", "$HTTP_HOST", 0);
setcookie("pword", "$password", time()+9999999999999999999999999, "/", "$HTTP_HOST", 0);

This works perfectly fine for me and the password cookie is successfully crypted and saved.
BUT here comes the part I have been terribly stuck on for 2 days now: On next page I have coded so it will check if the password cookie is correct when compared to the password of the user in the database. The password saved in the database is also crypted.

Now, the thing we all know with crypt() is that it generates codes randomly, so simply checking if the cookie value for the password is exactly the same as the one in db surely won't work since they will always be different. Also, as it seems, using "if(crypt($cookie,$userspword)==$userspword" won't work either since both the passwords are already crypted.

So...how would one do if I wanted to compare the crypted password of the cookie to the crypted password in the user's row in the database?


Thank you very much in advance and for reading this.




#2 salomon

salomon
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 07 March 2006 - 06:26 PM

Bump

#3 salomon

salomon
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 08 March 2006 - 12:33 AM

Does really no one know how to solve this? oh well

#4 salomon

salomon
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 08 March 2006 - 04:35 PM

I'm very dissapointed and thought this site would be much more helpful. this is like the third time I bump this topic

#5 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 08 March 2006 - 05:01 PM

[!--quoteo(post=352893:date=Mar 8 2006, 11:35 AM:name=salomon)--][div class=\'quotetop\']QUOTE(salomon @ Mar 8 2006, 11:35 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]I'm very dissapointed and thought this site would be much more helpful. this is like the third time I bump this topic[/quote]
.. and people here actually do have other things to do ..

If what's in the database is the same as what's in the cookie, what's the problem? If what's in the database isn't what's in the 'matching' cookie, it's never going to work.

Legend has it that reading the manual never killed anyone.
My site

#6 salomon

salomon
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 08 March 2006 - 05:40 PM

I already told you that crypt() is never the same, you cannot just compare to passwords like that sorry.

#7 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 08 March 2006 - 05:51 PM

You need to specify the same "salt" to the crypt function if you want the same encryption to take place.

Ken

#8 XenoPhage

XenoPhage
  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts

Posted 08 March 2006 - 05:56 PM

[!--quoteo(post=352911:date=Mar 8 2006, 12:40 PM:name=salomon)--][div class=\'quotetop\']QUOTE(salomon @ Mar 8 2006, 12:40 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
I already told you that crypt() is never the same, you cannot just compare to passwords like that sorry.
[/quote]

I don't believe you can verify a crypt() password without the plaintext password.

I'd also highly suggest that you do not store sensitive information in a cookie. Instead, set up some sort of session variable that can be passed to the cookie. Something totally innocuous that you can make sense of, but that requires additional pieces of info to work. For instance, set a cookie with the first 8 characters of the crypted time that the user logged in. Make that the cookie session variable. Next, use start_session() and a database to link it all together. That makes it pretty difficult to steal user sessions..

Anyways, here's some code that I use for security. It's not *quite* as secure as I described above, but for the project it was written for, it was tight enough.. [a href=\"http://www.godshell.com/oss/secure_login.tar.gz\" target=\"_blank\"]Secure Login Code[/a]
--
[a href=\"http://blog.godshell.com\" target=\"_blank\"]XenoPhage[/a]
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming.[/quote]

#9 salomon

salomon
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 08 March 2006 - 11:08 PM

Yeah ken, but I do however not use any salts since I can't seem to get them to work. I plainly use crypt() and that's all.

Thank you Xeno you seem to know where I'm getting from here. I kinda wanted to confirm if you COULD compare crypted passes to eachother or not, but as you said it would only work for comparing plain text passes to crypted, as I already can do. At the moment believe it or not, I actually store PLAINTEXT passwords as cookies. Dumb eh? That's why I would want to make it at least crypted if it's going to be in the cookie. I checked your link, but it does not seem to work hmm.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users