4

I'd like to use the "cookie" session adapter from Lithium. After the user logs in I'll create a cookie with his hashed password. If this cookie is present and the hashed password matches the one from the db, I'll log him in automatically.

Is this safe?

ok, I'm not talking about having the actual hash in the cookie, but an encrypted hash. I don't want anyone to find out how that hash looks :) Lithium has "strategies" that encrypt any data that you store in sessions with a "secret", so the hash would be encrypted. Basically I'm asking if Lithium's encryption is good enough. Has anyone worked with Lithium?

Elfy
  • 1,733
  • 6
  • 19
  • 39

5 Answers5

3

It depends on your hashed algorithm. Use salt to make your hash more secure:
Safe Password Hashing and

Remember, the hash of the password is effectively the same as their password. Somebody who stole the hash would have the same access to the user's account as if they had stolen their password. Therefore it is not advisable to store a hash of the user's password in a cookie unless there was some other information not stored with the cookie that is used to authenticate (i.e. 2-factor authentication). Gabe in this Answer.

And also can checkout these links:
Is it advisable to store a hashed password in a cookie?
Secure hash and salt for PHP passwords

Community
  • 1
  • 1
Siamak Motlagh
  • 5,028
  • 7
  • 41
  • 65
1

Only if it is a combination of the hashed password AND his userid or username. The password alone can possibly exist multiple times and is therefore not unique. Usernames or ids are (normally) unique.

Zim84
  • 3,404
  • 2
  • 35
  • 40
1

No. This is definitely not safe. If you store a password hashed in a cookie, that hashed password will become essentially the same as the user's password. If someone else would obtain that cookie somehow, he could set that cookie in his own browser, and be authenticated as someone else.

kokx
  • 1,706
  • 13
  • 19
1

Lithium's Encrypt strategy uses bcrypt, which in practical terms, is pretty much the best thing out there (okay, except maybe scrypt, but let me know when PHP ships with it and I'll change my opinion).

In any case, it doesn't matter how strong your encryption is because, as others have said, if you're transmitting a hash of the password, you might as well be transmitting the password itself. I can't think of a reason you'd ever want to do this.

Nate Abele
  • 5,771
  • 32
  • 27
  • To keep the user logged in for a few days, if he checked the "remember me option" when he logged in – Elfy Jan 16 '13 at 11:48
  • Yeah, no, not valid. No matter what kind of scheme you're implementing (i.e. cookie-only login, which I do all the time, or remember me), you never, *ever* need to store the hash of the password itself in a cookie. – Nate Abele Jan 22 '13 at 14:07
1

No matter how you store the password (encrypted or not) if someones obtain it, there is a big possibility that someone access to your site as another person.

Joel García Verástica
  • 332
  • 4
  • 10