Page 1 of 1

Cookie/Session Question

Posted: Tue Aug 13, 2002 12:49 pm
by JPlush76
I'm making a login page and basically when the user returns I'd like to automatically log them in.

To do this I have to put a cookie on their machine with the username and password?

I'd imagine thats not too secure, just trying to see if anyone has a better way? thanks!

Posted: Tue Aug 13, 2002 4:13 pm
by RandomEngy
Yeah, I had to just settle with putting the md5'd password in the cookie, and live with the fact that someone on their computer could copy the cookie and use it on their machine to hijack the account. Getting more secure than that would involve getting their IP, OS and everything and putting it into a database, and contriving a verification system based on that.

Posted: Tue Aug 13, 2002 7:35 pm
by Geschi
There are other ways to solve your problem, because cookies aren't secure enough as RandomEngy pointed out. The easiest thing would be to ask the user log in each time, but that's nothing to discuss. If you're working in an intranet or all users have static ip addresses, you can identify them by their ip. There have been several discussions on how to log in automatically and without noticing the user. Supposedly, this can be done using VBScript or ASP. However, to log onto an NT workstation you need to get the identd process from the NT controller. I also heard about solving this using ldap - have to double-check that.
Anyway, check out these discussions on automatic login:
http://www.devnetwork.net/forums/viewtopic.php?t=1174 and
http://www.devnetwork.net/forums/viewtopic.php?t=1472

Posted: Tue Aug 13, 2002 7:52 pm
by protokol
RandomEngy, is that the only insecure part about it? I mean, can someone from another computer retrieve the cookie? Or do they have to actually use the computer or be connected to it somehow?

Posted: Wed Aug 14, 2002 6:04 am
by Geschi
protokol. What is insecure? What's not? Do get the cookie you either have to use the actual computer or grab it from a lan connection or you have to hack the computer. However the normal standard user won't be able to get your cookies. Hopefully ;-)

Posted: Wed Aug 14, 2002 9:18 am
by RandomEngy
Does anyone know how this BB does it? I've looked around in the code for it, but can't find anything about how the autologin works.

Posted: Wed Aug 14, 2002 5:08 pm
by Geschi
Look at your cookies and you'll find the answer.

Posted: Wed Aug 14, 2002 8:00 pm
by sam
One cleaver thing I came across on phpbuilder a long time back is to use a simulated private key system:

Code: Select all

$key = "this is some text that the user will never see";
set_cookie("user",$_GETї'user']);
// now here is the good stuff
if(user_valid($_GETї'user'],$_GETї'pass'])){
    // the function user_valid is just a query to your database or whatever to make sure that the user is valid
    set_cookie("pass",md5($kay.$_GETї'user']));
}
// to check if the user is loged in all you have to do is this:
if($_COOKIEї'pass'] == md5($key.$COOKIEї'user'])){
   // user is loged in and valid
}
Because the $key is never shown to the public it is very hard to crack. And a user can not just md5 a password and edit the cookie

P.S. The

Code: Select all

tag isn't working anymore? what happend to it?

Cheers Sam