PHP Sign In Script Using Cookies Only

[mrx]

So I've searched for a topic similar to my own and read a few, but I'd still like to ask my question:

 

I've designed a simple sign in script to use with my company's online store, so that each customer can have an account and save shipping/billing data, making our site more convenient for them.

 

I've designed this script to use cookies only, and haven't even bothered with sessions. How it works is when a customer signs in, the script finds their user name (email address) in the database and compares the md5 hash of the password they entered with the correct one in the database. If they match, two cookies are put on the customer's computer: one with their user id (the row in the database their info is at) and another with the md5 hash of their password. So the user is signed in.

 

On each page thereafter, the user's id and password hash are taken from the cookies. The password hash stored in the database for that user is brought up again and compared to the one stored in the user's cookie. If they still match, the user remains logged in.

 

This method seems simple and secure to me. Yes, some user's have cookies disabled, but I will make sure to tell them they need to enable them to use our site. Yes, cookies can be altered by the user, but as the password in the cookie is constantly being compared to the one in the database, falsification by the user seems unlikely.

 

My question: is this really secure? Is there any big hole in this method I'm just not seeing? Is there any reason why sessions should be used that I'm missing?

[bluebutterflyofyourmind]

it might be a good idea to look at using sessions due to the simple fact that some users may not know how to  turn their cookies back on.  Sessions are easy to deal with and relatively secure(well i have no idea how i'd alter them for my benefit as a user).  have you used sessions before?

[revraz]

I dont see how you are not using sessions with a online store.  How do you transfer variables from one page to another?

 

Sessions won't store your login info if you return, that's a Cookie's role, but if you only store those two items in a cookie (username/pw), I am not sure why you mention you're not using sessions.

[mrx]

I have experimented with sessions before and am confident that I could use them effectively if I wanted to. I just figured that the cookie sign in method would work well without a session because then the user could remain signed in after the session ends, if they desire to.

 

Also, don't sessions require cookies to be enabled so that the session id can be stored on the user's computer as a cookie?

 

I suppose I will use sessions during the checkout process to pass variables from one page to another, but if I don't need them to make the sign in process secure, I might just stick with cookies for that function.

 

I guess I will end up using sessions somewhere, but I guess I have to decide whether I want to simply store the sign in variables in a cookie, or put them in a session and have the session id as a cookie.

 

Thanks for the responses!

[p2grace]

Keeping them signed in with a cookie is a good idea if you absolutely want to keep them signed in. However using cookies during the checkout process isn't as effective and secure as using sessions.  I'd suggest using sessions for the checkout process, and cookies for the login process.

 

EDIT: If you want to keep them signed it, a cookie is the only way to do it.  However, it isn't necessarily good practice to allow it.

[bluebutterflyofyourmind]

from my understanding, sessions do not use/need cookies.  It may be less secure to allow the user to stay logged in after the session has ended.  If another family member or if your site was logged in on a public computer, that user's profile may stay logged in exposing them to risk

[revraz]

Depends on how your php.ini is setup.  You can set it to use cookies for sessions.