Cookie/Session Question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Cookie/Session Question

Post by JPlush76 »

I'm making a login page and basically when the user returns I'd like to automatically log them in.

To do this I have to put a cookie on their machine with the username and password?

I'd imagine thats not too secure, just trying to see if anyone has a better way? thanks!
User avatar
RandomEngy
Forum Contributor
Posts: 173
Joined: Wed Jun 26, 2002 3:24 pm
Contact:

Post by RandomEngy »

Yeah, I had to just settle with putting the md5'd password in the cookie, and live with the fact that someone on their computer could copy the cookie and use it on their machine to hijack the account. Getting more secure than that would involve getting their IP, OS and everything and putting it into a database, and contriving a verification system based on that.
Geschi
Forum Newbie
Posts: 21
Joined: Wed Jul 10, 2002 3:21 am
Location: Germany

Post by Geschi »

There are other ways to solve your problem, because cookies aren't secure enough as RandomEngy pointed out. The easiest thing would be to ask the user log in each time, but that's nothing to discuss. If you're working in an intranet or all users have static ip addresses, you can identify them by their ip. There have been several discussions on how to log in automatically and without noticing the user. Supposedly, this can be done using VBScript or ASP. However, to log onto an NT workstation you need to get the identd process from the NT controller. I also heard about solving this using ldap - have to double-check that.
Anyway, check out these discussions on automatic login:
http://www.devnetwork.net/forums/viewtopic.php?t=1174 and
http://www.devnetwork.net/forums/viewtopic.php?t=1472
User avatar
protokol
Forum Contributor
Posts: 353
Joined: Fri Jun 21, 2002 7:00 pm
Location: Cleveland, OH
Contact:

Post by protokol »

RandomEngy, is that the only insecure part about it? I mean, can someone from another computer retrieve the cookie? Or do they have to actually use the computer or be connected to it somehow?
Geschi
Forum Newbie
Posts: 21
Joined: Wed Jul 10, 2002 3:21 am
Location: Germany

Post by Geschi »

protokol. What is insecure? What's not? Do get the cookie you either have to use the actual computer or grab it from a lan connection or you have to hack the computer. However the normal standard user won't be able to get your cookies. Hopefully ;-)
User avatar
RandomEngy
Forum Contributor
Posts: 173
Joined: Wed Jun 26, 2002 3:24 pm
Contact:

Post by RandomEngy »

Does anyone know how this BB does it? I've looked around in the code for it, but can't find anything about how the autologin works.
Geschi
Forum Newbie
Posts: 21
Joined: Wed Jul 10, 2002 3:21 am
Location: Germany

Post by Geschi »

Look at your cookies and you'll find the answer.
User avatar
sam
Forum Contributor
Posts: 217
Joined: Thu Apr 18, 2002 11:11 pm
Location: Northern California
Contact:

Post by sam »

One cleaver thing I came across on phpbuilder a long time back is to use a simulated private key system:

Code: Select all

$key = "this is some text that the user will never see";
set_cookie("user",$_GETї'user']);
// now here is the good stuff
if(user_valid($_GETї'user'],$_GETї'pass'])){
    // the function user_valid is just a query to your database or whatever to make sure that the user is valid
    set_cookie("pass",md5($kay.$_GETї'user']));
}
// to check if the user is loged in all you have to do is this:
if($_COOKIEї'pass'] == md5($key.$COOKIEї'user'])){
   // user is loged in and valid
}
Because the $key is never shown to the public it is very hard to crack. And a user can not just md5 a password and edit the cookie

P.S. The

Code: Select all

tag isn't working anymore? what happend to it?

Cheers Sam
Post Reply