Safely store password and username in a cookie?
Posted: Sat Sep 27, 2008 8:16 am
Hi,
EDIT: Check my post below, the 3rd post..
EDIT: Check my post below, the 3rd post..
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Code: Select all
$pass = hash('sha512',$pepper . $password . $salt);You got it :parjan.top wrote:so you want secure "auto-login"?
Hm...arjan.top wrote:you could try salting it like password:
in the database write uniqid() at login
define $salt in php
then write hash of both in the cookie, that way access to database is not enaugh to "steal" autologin value
the problem is with matching cookie to user, you have to iterate over all users and hash the uniqid (maybe databases can do sha/md5 too, then it would be simpler)
EDIT: looks like mysql can do sha1 and md5
Yup, mt_rand() is clearly not enough for cryptography. Do you have any ideas on generating as truly random number as possible? There are lots of problems with mt_rand() if you blindly rely on it for creating secret values such as session ids, passwords, activation links or such.arjan.top wrote:1. why would you need it?
2. mt_rand() is better than rand(), but as I read not good enaugh for criptography
I read the Stefan Esser's blog about PHP and not so random numbers, here: http://www.suspekt.org/2008/08/17/mt_sr ... m-numbers/Mordred wrote:uniqid() should be fine, although I am not a cryptologist and don't know the details on its implementation on different systems. It is most certainly better than mt_rand and rand.
The post arjan.top already linked to has my explanation on why there's no sense in using longer hash functions in this case.
Code: Select all
$rnd = '';
$gseed = '';
public function rand2($min = 0,$max = 0)
{
global $rnd,$gseed;
$seed = $gseed;
// Reset $rnd_value after 14 uses
// 32(md5) + 40(sha1) + 40(sha1) / 8 = 14 random numbers from $rnd_value
if ( strlen($rnd_value) < 8 ) {
$rnd_value = md5( uniqid(microtime() . mt_rand(), true ) . $seed );
$rnd_value .= sha1($rnd_value);
$rnd_value .= sha1($rnd_value . $seed);
$seed = md5($seed . $rnd_value);
$gseed = $seed;
}
// Take the first 8 digits for our value
$value = substr($rnd_value, 0, 8);
// Strip the first eight, leaving the remainder for the next call to wp_rand().
$rnd_value = substr($rnd_value, 8);
$value = abs(hexdec($value));
// Reduce the value to be within the min - max range
// 4294967295 = 0xffffffff = max random number
if ( $max != 0 )
$value = $min + (($max - $min + 1) * ($value / (4294967295 + 1)));
return abs(intval($value));
}
echo rand2();