Cookie security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
RandomEngy
Forum Contributor
Posts: 173
Joined: Wed Jun 26, 2002 3:24 pm
Contact:

Cookie security

Post by RandomEngy »

Hey, I've decided putting a "stay logged in" checkbox in the login screen would be a really convienent thing for my users to have. It would use cookies of course, but this is where the problem comes in.

All of the passwords in the database are md5'd, and the entered password is md5'd and compared with the database. If I stored the password in the file just as is, someone could come along to their computer, and get the password from the cookie file, and log in as them whenever they wanted. If I stored it in md5 form, they could just copy the cookie, and use it on thier computer to have an automatic login.

Is there an easy way to prevent account theft this way, or should the burden be on the user to keep people away from their computer?

I suppose I could use a 2-way encryption and keep a key for each user in the database, putting the encrypted password in the cookie, decrpyting it when I got it back, then md5-ing it and comparing with the database password.

Are there any built-in 2-way encryption functions for PHP, or must I recompile and use the mcrypt functions?
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Post by BDKR »

Yo R,

What if the information in the cookie was a digital signature? It could be some stupid long randomly generated number that is encrypted before being sent to the browser and decrypted when coming back. When decrypted, the number is compared against a table in a database. That number is associated with information that is a serialized array. It will contain information like...

:: IP address
:: Time session started
:: Platform
:: OS

If all that checks out, then the person coming back can be considered an OK guy, for lack of a better term.

So now, the password is NOT sent back and forth each time, the cookie must come back from the same place the session started, we can set a time limit on the sessions, and we can aslo check that the platform and OS is the same.

This is what I do. Perfect? No. Also, I don't use cookies becuase users turn them on and off. I just slip a hidden var in on them in the form. :twisted:

Later on,
BDKR

By the way, where or what is your Avatar? I think it's cool!
User avatar
RandomEngy
Forum Contributor
Posts: 173
Joined: Wed Jun 26, 2002 3:24 pm
Contact:

Post by RandomEngy »

Thanks for the ideas, BDKR, although since I know nothing about how to work digital signatures, or where to get a 2-way encrytion function for windows PHP, I probably won't end up using that method, especially since I have only a few more days on the job. (I'm summer help)

As for my avatar, that is an player model for the Engineer class in Team Fortress for Half-Life. It's the new model too, as opposed to the pre 1.1 model. Also, an Engineer is commonly called an "engy" in Team Fortress, and that's where I got my name.
Post Reply