php_guy Posted December 14, 2007 Share Posted December 14, 2007 Hi, I want to create a "Keep me logged in" feature for my site. The user's name and password will be stored in a cookie as an md5 hash value. So the actual username/password are NOT stored, rather the md5(username) and md5(password) will be stored. Generally speaking, can you see any large security flaws with this? Quote Link to comment Share on other sites More sharing options...
lemmin Posted December 14, 2007 Share Posted December 14, 2007 If someone copies the cookie that belongs to someone elses account, they have permanent access to that user's account without ever having to know the user's password of username. This could occur very easy for computers where more than one person may use it, but there are other circumstances where this is still a security problem. My suggestion is to use a db to store users that are logged in along with a cookie that just says that that computer used an account that wants to stay logged in. Then check both the table and the cookie and you shouldn't have a problem. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted December 14, 2007 Share Posted December 14, 2007 If both the user name and password are md5'ed in the cookie, when the user returns how do you plan to determine which user it was? And yes, storing the user's password anywhere other than in your database is a bad idea. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 Just put a Checkbox, if the checkbox isset, use a COOKIES to register the user's login information, else use a session. Make the time()+100000000000000000. Its what I always do. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.