Password Security
Posted: Sat Nov 01, 2008 5:08 pm
What is the best way to store a username/password combination? Just setting the password as a cookie is a terrible idea, I know that. So my current system involves generating a random string (session id; SID for short) and storing it both client- and server-side. If they match, the user is authenticated. A new SID is generated on every login.
This is slightly more secure than the first method I mentioned, because the SID doesn't remain the same. But an attacker could still steal the username and SID cookies.
I'm thinking about implementing a system that stores a different SID for each username/IP combination. For instance: Bob, when logged in from 123.12.123.1, has the SID "8e34h9oi". When logged in from 234.23.234.2, he has "32ep54c1". This is still vulnerable to IP spoofing, though.
So what's the best way of doing this?
This is slightly more secure than the first method I mentioned, because the SID doesn't remain the same. But an attacker could still steal the username and SID cookies.
I'm thinking about implementing a system that stores a different SID for each username/IP combination. For instance: Bob, when logged in from 123.12.123.1, has the SID "8e34h9oi". When logged in from 234.23.234.2, he has "32ep54c1". This is still vulnerable to IP spoofing, though.
So what's the best way of doing this?