Page 1 of 1

Auto-login cookie security

Posted: Thu Oct 01, 2009 11:33 am
by lorenzo-s
Hi everyone. I'm working on a Login class. I want to create an auto-login cookie.

Until now, I set a cookie with username and md5(password), for example:
jack:1a1dc91c907325c69271ddf0c944bc72
and then I simply use a normal login($user, $pwd) function.

But I think it's better to store a cookie with the user ID and a secret code, generated for example with md5('secret_word' . $user_id). I set a cookie like:
612:257bdf176a114212c6cf8495c3c8c6da
and then I get the user ID (612), check the secret code with that ID, and then log the user.

There is something different in these two ways about security?
Thank you! :D

Re: Auto-login cookie security

Posted: Thu Oct 01, 2009 12:02 pm
by lorenzo-s
Mmmm... Maybe it's safer with the first way. If a user change it's password, the cookie will stop work. That it's right, because the user can forbid someone that had stolen the cookie to log the site... Mmmm...

Re: Auto-login cookie security

Posted: Fri Oct 02, 2009 2:08 am
by kaisellgren
Don't store usernames or passwords in cookies. Use the Session -extension.

Re: Auto-login cookie security

Posted: Sat Oct 10, 2009 5:14 pm
by cpetercarter
Kai, what do you mean when you advise the OP not to store usernames or passwords in cookies?

If you use cookies as a means of identifying a user and authorising access, then the cookie has to contain data which uniquely identifies the user, such as username and password. These should of course be encrypted, preferably with a unique salt.

Or are you advising against using cookies as an identification/authorisation method?

Re: Auto-login cookie security

Posted: Sun Oct 11, 2009 4:44 am
by kaisellgren
cpetercarter wrote:If you use cookies as a means of identifying a user and authorising access, then the cookie has to contain data which uniquely identifies the user, such as
The identifier for the session. The cookie based "username + password" -authentication is obsolete and not as secure as the way we handle authentication today using sessions.

Re: Auto-login cookie security

Posted: Tue Oct 13, 2009 4:01 pm
by cpetercarter
Kai, thank you for this helpful reply. I have rewritten the access-checking script for my software so that cookies contain only an identifier, which is regenerated each time a cookie is used for access. It is here if you are interested.