Cookie security
Posted: Wed Aug 07, 2002 10:02 am
Hey, I've decided putting a "stay logged in" checkbox in the login screen would be a really convienent thing for my users to have. It would use cookies of course, but this is where the problem comes in.
All of the passwords in the database are md5'd, and the entered password is md5'd and compared with the database. If I stored the password in the file just as is, someone could come along to their computer, and get the password from the cookie file, and log in as them whenever they wanted. If I stored it in md5 form, they could just copy the cookie, and use it on thier computer to have an automatic login.
Is there an easy way to prevent account theft this way, or should the burden be on the user to keep people away from their computer?
I suppose I could use a 2-way encryption and keep a key for each user in the database, putting the encrypted password in the cookie, decrpyting it when I got it back, then md5-ing it and comparing with the database password.
Are there any built-in 2-way encryption functions for PHP, or must I recompile and use the mcrypt functions?
All of the passwords in the database are md5'd, and the entered password is md5'd and compared with the database. If I stored the password in the file just as is, someone could come along to their computer, and get the password from the cookie file, and log in as them whenever they wanted. If I stored it in md5 form, they could just copy the cookie, and use it on thier computer to have an automatic login.
Is there an easy way to prevent account theft this way, or should the burden be on the user to keep people away from their computer?
I suppose I could use a 2-way encryption and keep a key for each user in the database, putting the encrypted password in the cookie, decrpyting it when I got it back, then md5-ing it and comparing with the database password.
Are there any built-in 2-way encryption functions for PHP, or must I recompile and use the mcrypt functions?