Login Systems
Posted: Sat Aug 23, 2008 4:55 pm
hi, im working on a login system for my site and want to talk about login systems.
My Understanding
Most logins use sessions and when the session expires they have cookies containing your password(encrypted) and username. right ?
My Views
Placing a password in a cookie even when encrypted seems a bad idea if i steal cookies from someone i can then login because the site checks for session then if no session it uses the cookie information to log me in. right ?
My Code
I was thinking about this while logging into my bank i had the idea of using part of the password just like they do.
I then had the idea of a access key instead of using a password in a cookie, have another field in your mysql called "access_key" that contains a 32 character string, which on login i can then select 4 characters from it and place those in a cookie.
This is a example of my code
So now i have 4 cookies and 1 session.
if a hacker steals the cookiesthey can login as long as the real users session hasn't expired and a new one created, if this has happened the access key is different and worthless to the hacker.
So the main question is do other sites do this, looking through cookies ive found some sites have cookies called pw, pass or even password with encrypted passwords in. Also is this the best way or is there some other way sites do this ?
My Understanding
Most logins use sessions and when the session expires they have cookies containing your password(encrypted) and username. right ?
My Views
Placing a password in a cookie even when encrypted seems a bad idea if i steal cookies from someone i can then login because the site checks for session then if no session it uses the cookie information to log me in. right ?
My Code
I was thinking about this while logging into my bank i had the idea of using part of the password just like they do.
I then had the idea of a access key instead of using a password in a cookie, have another field in your mysql called "access_key" that contains a 32 character string, which on login i can then select 4 characters from it and place those in a cookie.
This is a example of my code
Code: Select all
<?php
//This data is in a MYSQL
$id = "1";
$password = "098f6bcd4621d373cade4e832627b4f6";//md5 of "test"
$username = "username";
$access_key = "";
//End of MYSQL
//On Login this happens
//insert this into MYSQL
$access_key = md5(rand(10000000, 90000000));
//end of insert
$start = rand(0, 28);
$temp_key = substr($access_key,$start,4);//outputs the string from the $start value but only 4 characters
setcookie("User", $username, time()+3600*24*7);
setcookie("Access_Key", $temp_key, time()+3600*24*7);
setcookie("Access_Key_Start", $start, time()+3600*24*7);
setcookie("Remember", "Yes", time()+3600*24*7);
session_start();
$_SESSION['ID'] = $id;
$_SESSION['User'] = $username;
//End of Login Stuff
//On index.php
session_start();
if($_SESSION['ID']):
echo('Logged In');
endif;
if( (!$_SESSION['ID']) and ($_COOKIE['Remember'] == "Yes") ):
/*
OK now i query mysql for ID, User, Access_Key Where Username = $_COOKIE['username']
$row['id'];
$row['username']
$row['access_key']
THEN
*/
$access_key = substr($row['access_key'],$_COOKIE['Access_Key_Start'],4);
if(strcmp($access_key,$_COOKIE['Access_Key']) == "0")://compares the strings and outputs 0 if they are the same
//insert this into MYSQL
$access_key = md5(rand(10000000, 90000000));
//end of insert
$start = rand(0, 28);
$temp_key = substr($access_key,$start,4);//outputs the string from the $start value but only 4 characters
$_SESSION['ID'] = $id;
$_SESSION['User'] = $username;
setcookie("Access_Key", $temp_key, time()+3600*24*7);
setcookie("Access_Key_Start", $start, time()+3600*24*7);
echo('Re-Logged in');
endif;
endif;
?>if a hacker steals the cookiesthey can login as long as the real users session hasn't expired and a new one created, if this has happened the access key is different and worthless to the hacker.
So the main question is do other sites do this, looking through cookies ive found some sites have cookies called pw, pass or even password with encrypted passwords in. Also is this the best way or is there some other way sites do this ?