I use cookie to store user credentials. I have two questions:
1- Is hashing cookies necessary? Using for example md5
2- Should I store passwords with usernames or storing username is enough to authenticate the user?
Asked
Active
Viewed 2,219 times
2 Answers
4
Cookies can be edited by the user, as a penetration tested, I would say storing any user specific data used for authentication is a bad idea.
The best way to store this is in sessions, that way it is server side and the data is only in the scope of that user/connection.
ddoor
- 5,819
- 9
- 34
- 41
-
then how can I make use of "remember me" button in the login? All of the session follow a specified expiration; while for "remember me" i need to expire on close. – Jan 03 '14 at 12:42
-
There a number of ways to do this. The best is probably to record the IP address and user-agent in a database. This thread looks most useful: http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website – ddoor Jan 03 '14 at 14:36
-
Basically what that says is store the hashed user_id in the cookie. So you don't expose the username or password, only a unique identifier to check when you load the form. – ddoor Jan 03 '14 at 14:37
2
Don't store credentials in cookies or sessions or anywhere other than as hashes in a database.
What you're supposed to use is a session id cookie. PHP creates one automatically when you call session_start. The session will contain all the data pertaining to identification of the user, like the user-id (you probably just need the user-id, nothing more).
Sessions are stored on the server, so they're tamper-safe.
Cookies are stored by the client so they're wholly unreliable. Use cookies for preference things like language selection or "yes I've seen your popup ad".
salt + md5 is not strong enough to store passwords. Use the built in PHP functions that deal specifically with passwords. See http://php.net/manual/en/function.password-hash.php for more info.
Halcyon
- 57,230
- 10
- 89
- 128