a question about cookies and MD5

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
beemzet
Forum Newbie
Posts: 6
Joined: Tue Jun 05, 2007 7:55 am

a question about cookies and MD5

Post by beemzet »

Hi all,

I've been creating a user management system wich allows users to register, log in, log out and manage their profiles.

Login script works like this: Gets username and password from username and password textboxes, MD5 encrypts the password, and compares the username and password to that of the database. If everyting is OK, then logs in, otherwise doesn't login.

I added gmail-like "remember me" option to the script. If the user checks to remember the username and password, then the script will set cookies with username and MD5 encrypted password. The next time when the page is loaded, the script checks if username and password cookies had been set. If yes, those values will be shown on username and password textboxes as google does. When I get values from cookies, I will have a username, and a MD5 encrypted password, right? So, with these values, if I submit the form, my login script encrypts the password again, which is already enrypted.

There comes my question. How do I do so that MD5 encrypted password that is stored in $_COOKIES variable, can be shown as a normal password in the password textbox.

Or any other solutions to the problem???

Thank you for your time.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Do not echo the password out into the page, ever. Simple as that.
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Re: a question about cookies and MD5

Post by TheMoose »

beemzet wrote:Hi all,

I've been creating a user management system wich allows users to register, log in, log out and manage their profiles.

Login script works like this: Gets username and password from username and password textboxes, MD5 encrypts the password, and compares the username and password to that of the database. If everyting is OK, then logs in, otherwise doesn't login.

I added gmail-like "remember me" option to the script. If the user checks to remember the username and password, then the script will set cookies with username and MD5 encrypted password. The next time when the page is loaded, the script checks if username and password cookies had been set. If yes, those values will be shown on username and password textboxes as google does. When I get values from cookies, I will have a username, and a MD5 encrypted password, right? So, with these values, if I submit the form, my login script encrypts the password again, which is already enrypted.

There comes my question. How do I do so that MD5 encrypted password that is stored in $_COOKIES variable, can be shown as a normal password in the password textbox.

Or any other solutions to the problem???

Thank you for your time.
I don't believe Google actually writes the username/password values into those boxes, it is most likely your browser doing that. Most "remember me" cookies setups usually just store a token/key/whatever you want to call it so that your code knows exactly who the person is based on this cookie value, and then assumes that since that cookie is set, that they are who they say they are and logs them in anyway.
beemzet
Forum Newbie
Posts: 6
Joined: Tue Jun 05, 2007 7:55 am

Post by beemzet »

thanx guys,

Ok, another question.

How do I find the lenght of original MD5 encrypted string?

And also, why use MD5 encryption when there is a way to decrypt them? Take a look at here
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

beemzet wrote:How do I find the lenght of original MD5 encrypted string?
In PHP, strlen(). In Javascript, the length property.
beemzet wrote:And also, why use MD5 encryption when there is a way to decrypt them? Take a look at here
You're the one talking about MD5, why did you choose it? We often suggest SHA256 as it's much stronger. We also recommend salts, peppers and a dash of nutmeg for rich flavor.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

How do I find the lenght of original MD5 encrypted string?
You would have to store that information while you have the original data. But why?
beemzet wrote:And also, why use MD5 encryption when there is a way to decrypt them? Take a look at here
Those "decrypt" pages are usually based on rainbow tables, large pre-computed tables that contain many many md5 hashes. It's very unlikely that they contain the hash for e.g. lepton34bose_ (unless someone adds this hash right now ;))
beemzet
Forum Newbie
Posts: 6
Joined: Tue Jun 05, 2007 7:55 am

Post by beemzet »

thank you guys.
will ask again if there is something else to ask...
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

The funny thing about that site is it probably doesn't have every computation. But when you do part one (find the MD5/SHA1 hash), it adds that to its own lookup. I'm gonna test my theory to find out for sure though ;)

EDIT: That site doesn't use a true hash of MD5 or SHA1. They've made their own variation that is decryptable, so there it would appear there is no rainbow table for it.
Post Reply