Page 1 of 1

Cookie vs Hidden field: Preferences?

Posted: Thu Apr 15, 2004 11:07 am
by llanitedave
I'm putting together a challenge-response authentication system using PHP on the server and Javascript on the client.

Here's what happens:
1. PHP generates an md5 hash of the current timestamp, which it sends to the browser.
2. The user enters a username and password, and hits "submit"
3. A javascript function takes the password, appends it to the hash, and hashes the result.
4. The plain-text username and the hashed password combo is sent to the server.
5. The database queries the username, if successful it retrieves the associated password and performs the identical hashing operation to it.
6. If the results match, the user is logged in.

I'm hoping that this is a security enhancement over passing plain-text passwords across insecure connections.

My question is this:
I can store the hashed variable sent from the server in either a hidden field on the login page or a cookie on the browser. Right now I'm leaning towards the hidden field, as it seems simpler to implement and there is no need for persistance across pages.

Are there any other considerations I need to be aware of? Any "gotcha's" I'm leaving out?

If persistance is not an issue, is there any advantage to cookies over hidden fields, or vice versa?

Posted: Fri Apr 16, 2004 9:08 am
by Black Unicorn
Whether you use a cookie or a hidden field, both will still send plaintext from the server to the client over the internet. I'd say go with hidden fields, as some people disable cookies on their browsers.

As for "gotchas", I'd say you've covered the basics, and it sounds secure enough to me, but not crackproof. If you want to make it a bit more secure, don't append the the md5(password) to the timestamp hash, but hash the two added together, i.e. md5(hashedTimestamp+md5(password)) and repeat this procedure on the server to compare the two digests. A 64 char encrypted string sort of is a giveaway and brute-forcing either password or timestamp will be more likely than a hash of two hashes combined.

Hope this helps,
H.

Posted: Fri Apr 16, 2004 2:03 pm
by llanitedave
I may not have been clear enough on the original post, but I DO hash the two strings together after they've been appended. And your reasoning for that is one of several good ones.

You're right about considering those that have cookies disabled, although the application I'm developing will have session variables in cookies, and will pretty much demand that those be available. It's a specialty app, and not for the general browsing public, so I can get away with a few such demands.

BUT, I might decide to generalize the login system itself and again, you're right -- hidden fields are probably more portable.

So, all in all -- yeah, you've helped! 8)

I'll continue on with a clear conscience...

Posted: Fri Apr 16, 2004 2:36 pm
by malcolmboston
hidden field always

i have yet to need cookies, and personally do not like them however they have there uses

Posted: Fri Apr 16, 2004 2:47 pm
by llanitedave
malcolmboston wrote:hidden field always

i have yet to need cookies, and personally do not like them however they have there uses
At the risk of getting off topic, does this include cookies used as Session ID?

Posted: Sat Apr 17, 2004 8:03 am
by malcolmboston
i dont use cookies at all,

life can work around cookies,

PHP Session system is much much better than cookies, cookies are good for "remembering" a user, but the simple fact of life is, they can be turned off, Sessions can't.

remembering a user is a nice gimmick and all, but typing out 2 input fields to log back in really isnt that hard.........

........ and no i dont use cookies in conjunction with sessions, i did once, and found no major benefit.............

....... im sure i'll get flamed for this

Posted: Sat Apr 17, 2004 9:45 am
by m3rajk
malcolmboston wrote:i dont use cookies at all,

life can work around cookies,

PHP Session system is much much better than cookies, cookies are good for "remembering" a user, but the simple fact of life is, they can be turned off, Sessions can't.

remembering a user is a nice gimmick and all, but typing out 2 input fields to log back in really isnt that hard.........

........ and no i dont use cookies in conjunction with sessions, i did once, and found no major benefit.............

....... im sure i'll get flamed for this
sessions uses post get and cookies. you can turn off cookies and it uses post or get. if you use get you have realllly long urls that can be a pain, to have it use post you have to have ALL MOVEMENT done via post.

remember that when trying to design, sometimes it's better to require cookies if you don't want a lot of information put into the urls

Posted: Sat Apr 17, 2004 1:43 pm
by malcolmboston
[quote="m3rajk" if you use get you have realllly long urls that can be a pain, to have it use post you have to have ALL MOVEMENT done via post.

remember that when trying to design, sometimes it's better to require cookies if you don't want a lot of information put into the urls[/quote]

i dont use GET either