Is it ok to use a cookie to store a non-identifying token (key) that I can use to retrieve a DB salt for a password? The key itself is not used in the encryption, but instead of relying on the site to determine the salt to use when it's posted (based off the username), that it uses the cookie instead? I would have non-cookie measures (if cookies are disabled it just uses the salt associated with the username, but if cookies are available, then it must use the cookie token).
The way I see it, it helps prevent remote scripted login attempts since the cookie doesn't necessarily exist on the script runner's server.
I also have a private salt that I'll be using as well for more security (I read the thread about double salted security, and it makes perfect sense).
So it'd look something like:
Code: Select all
if(isset($_COOKIE['mysite'])) {
// cookie not set, test cookie availability, and either regen cookie token, or use the default user DB salt
} else {
// cookie IS set, use the cookie to retrieve a DB salt that is not the user's salt, but a different salt
}
// encrypt password via sha256(private_salt + password + DB_salt) and check authentication