Auto-login cookie security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
lorenzo-s
Forum Commoner
Posts: 43
Joined: Tue Aug 25, 2009 12:25 pm

Auto-login cookie security

Post by lorenzo-s »

Hi everyone. I'm working on a Login class. I want to create an auto-login cookie.

Until now, I set a cookie with username and md5(password), for example:
jack:1a1dc91c907325c69271ddf0c944bc72
and then I simply use a normal login($user, $pwd) function.

But I think it's better to store a cookie with the user ID and a secret code, generated for example with md5('secret_word' . $user_id). I set a cookie like:
612:257bdf176a114212c6cf8495c3c8c6da
and then I get the user ID (612), check the secret code with that ID, and then log the user.

There is something different in these two ways about security?
Thank you! :D
User avatar
lorenzo-s
Forum Commoner
Posts: 43
Joined: Tue Aug 25, 2009 12:25 pm

Re: Auto-login cookie security

Post by lorenzo-s »

Mmmm... Maybe it's safer with the first way. If a user change it's password, the cookie will stop work. That it's right, because the user can forbid someone that had stolen the cookie to log the site... Mmmm...
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Auto-login cookie security

Post by kaisellgren »

Don't store usernames or passwords in cookies. Use the Session -extension.
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: Auto-login cookie security

Post by cpetercarter »

Kai, what do you mean when you advise the OP not to store usernames or passwords in cookies?

If you use cookies as a means of identifying a user and authorising access, then the cookie has to contain data which uniquely identifies the user, such as username and password. These should of course be encrypted, preferably with a unique salt.

Or are you advising against using cookies as an identification/authorisation method?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Auto-login cookie security

Post by kaisellgren »

cpetercarter wrote:If you use cookies as a means of identifying a user and authorising access, then the cookie has to contain data which uniquely identifies the user, such as
The identifier for the session. The cookie based "username + password" -authentication is obsolete and not as secure as the way we handle authentication today using sessions.
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: Auto-login cookie security

Post by cpetercarter »

Kai, thank you for this helpful reply. I have rewritten the access-checking script for my software so that cookies contain only an identifier, which is regenerated each time a cookie is used for access. It is here if you are interested.
Post Reply