2

I use cookie to store user credentials. I have two questions:

1- Is hashing cookies necessary? Using for example md5

2- Should I store passwords with usernames or storing username is enough to authenticate the user?

2 Answers2

4

Cookies can be edited by the user, as a penetration tested, I would say storing any user specific data used for authentication is a bad idea.

The best way to store this is in sessions, that way it is server side and the data is only in the scope of that user/connection.

ddoor
  • 5,819
  • 9
  • 34
  • 41
  • then how can I make use of "remember me" button in the login? All of the session follow a specified expiration; while for "remember me" i need to expire on close. –  Jan 03 '14 at 12:42
  • There a number of ways to do this. The best is probably to record the IP address and user-agent in a database. This thread looks most useful: http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website – ddoor Jan 03 '14 at 14:36
  • Basically what that says is store the hashed user_id in the cookie. So you don't expose the username or password, only a unique identifier to check when you load the form. – ddoor Jan 03 '14 at 14:37
2

Don't store credentials in cookies or sessions or anywhere other than as hashes in a database.

What you're supposed to use is a session id cookie. PHP creates one automatically when you call session_start. The session will contain all the data pertaining to identification of the user, like the user-id (you probably just need the user-id, nothing more).

Sessions are stored on the server, so they're tamper-safe.

Cookies are stored by the client so they're wholly unreliable. Use cookies for preference things like language selection or "yes I've seen your popup ad".


salt + md5 is not strong enough to store passwords. Use the built in PHP functions that deal specifically with passwords. See http://php.net/manual/en/function.password-hash.php for more info.

Halcyon
  • 57,230
  • 10
  • 89
  • 128