Use of Cookies for Partial Authentication

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Use of Cookies for Partial Authentication

Post by TheMoose »

So I'm designing my security scheme, and I got to thinking:

Is it ok to use a cookie to store a non-identifying token (key) that I can use to retrieve a DB salt for a password? The key itself is not used in the encryption, but instead of relying on the site to determine the salt to use when it's posted (based off the username), that it uses the cookie instead? I would have non-cookie measures (if cookies are disabled it just uses the salt associated with the username, but if cookies are available, then it must use the cookie token).

The way I see it, it helps prevent remote scripted login attempts since the cookie doesn't necessarily exist on the script runner's server.

I also have a private salt that I'll be using as well for more security (I read the thread about double salted security, and it makes perfect sense).

So it'd look something like:

Code: Select all

if(isset($_COOKIE['mysite'])) {
   // cookie not set, test cookie availability, and either regen cookie token, or use the default user DB salt
} else {
   // cookie IS set, use the cookie to retrieve a DB salt that is not the user's salt, but a different salt
}
// encrypt password via sha256(private_salt + password + DB_salt) and check authentication
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Cookies aren't especially secure, but as long as it's not directly linked to anything (i.e. separate and unique) and you rotate it, I think you're fine.

One thing I will warn against is using too many cookies. If you already have storage of cookies, I'd suggest using an existing cookie over creating a new one.
Post Reply