Page 1 of 1

Use of Cookies for Partial Authentication

Posted: Thu Mar 01, 2007 4:06 pm
by TheMoose
So I'm designing my security scheme, and I got to thinking:

Is it ok to use a cookie to store a non-identifying token (key) that I can use to retrieve a DB salt for a password? The key itself is not used in the encryption, but instead of relying on the site to determine the salt to use when it's posted (based off the username), that it uses the cookie instead? I would have non-cookie measures (if cookies are disabled it just uses the salt associated with the username, but if cookies are available, then it must use the cookie token).

The way I see it, it helps prevent remote scripted login attempts since the cookie doesn't necessarily exist on the script runner's server.

I also have a private salt that I'll be using as well for more security (I read the thread about double salted security, and it makes perfect sense).

So it'd look something like:

Code: Select all

if(isset($_COOKIE['mysite'])) {
   // cookie not set, test cookie availability, and either regen cookie token, or use the default user DB salt
} else {
   // cookie IS set, use the cookie to retrieve a DB salt that is not the user's salt, but a different salt
}
// encrypt password via sha256(private_salt + password + DB_salt) and check authentication

Posted: Thu Mar 01, 2007 4:47 pm
by feyd
Cookies aren't especially secure, but as long as it's not directly linked to anything (i.e. separate and unique) and you rotate it, I think you're fine.

One thing I will warn against is using too many cookies. If you already have storage of cookies, I'd suggest using an existing cookie over creating a new one.