Hey, I've decided putting a "stay logged in" checkbox in the login screen would be a really convienent thing for my users to have. It would use cookies of course, but this is where the problem comes in.
All of the passwords in the database are md5'd, and the entered password is md5'd and compared with the database. If I stored the password in the file just as is, someone could come along to their computer, and get the password from the cookie file, and log in as them whenever they wanted. If I stored it in md5 form, they could just copy the cookie, and use it on thier computer to have an automatic login.
Is there an easy way to prevent account theft this way, or should the burden be on the user to keep people away from their computer?
I suppose I could use a 2-way encryption and keep a key for each user in the database, putting the encrypted password in the cookie, decrpyting it when I got it back, then md5-ing it and comparing with the database password.
Are there any built-in 2-way encryption functions for PHP, or must I recompile and use the mcrypt functions?
Cookie security
Moderator: General Moderators
- RandomEngy
- Forum Contributor
- Posts: 173
- Joined: Wed Jun 26, 2002 3:24 pm
- Contact:
Yo R,
What if the information in the cookie was a digital signature? It could be some stupid long randomly generated number that is encrypted before being sent to the browser and decrypted when coming back. When decrypted, the number is compared against a table in a database. That number is associated with information that is a serialized array. It will contain information like...
:: IP address
:: Time session started
:: Platform
:: OS
If all that checks out, then the person coming back can be considered an OK guy, for lack of a better term.
So now, the password is NOT sent back and forth each time, the cookie must come back from the same place the session started, we can set a time limit on the sessions, and we can aslo check that the platform and OS is the same.
This is what I do. Perfect? No. Also, I don't use cookies becuase users turn them on and off. I just slip a hidden var in on them in the form.
Later on,
BDKR
By the way, where or what is your Avatar? I think it's cool!
What if the information in the cookie was a digital signature? It could be some stupid long randomly generated number that is encrypted before being sent to the browser and decrypted when coming back. When decrypted, the number is compared against a table in a database. That number is associated with information that is a serialized array. It will contain information like...
:: IP address
:: Time session started
:: Platform
:: OS
If all that checks out, then the person coming back can be considered an OK guy, for lack of a better term.
So now, the password is NOT sent back and forth each time, the cookie must come back from the same place the session started, we can set a time limit on the sessions, and we can aslo check that the platform and OS is the same.
This is what I do. Perfect? No. Also, I don't use cookies becuase users turn them on and off. I just slip a hidden var in on them in the form.
Later on,
BDKR
By the way, where or what is your Avatar? I think it's cool!
- RandomEngy
- Forum Contributor
- Posts: 173
- Joined: Wed Jun 26, 2002 3:24 pm
- Contact:
Thanks for the ideas, BDKR, although since I know nothing about how to work digital signatures, or where to get a 2-way encrytion function for windows PHP, I probably won't end up using that method, especially since I have only a few more days on the job. (I'm summer help)
As for my avatar, that is an player model for the Engineer class in Team Fortress for Half-Life. It's the new model too, as opposed to the pre 1.1 model. Also, an Engineer is commonly called an "engy" in Team Fortress, and that's where I got my name.
As for my avatar, that is an player model for the Engineer class in Team Fortress for Half-Life. It's the new model too, as opposed to the pre 1.1 model. Also, an Engineer is commonly called an "engy" in Team Fortress, and that's where I got my name.