I use cookie to store user credentials. I have two questions:
1- Is hashing cookies necessary? Using for example md5
2- Should I store passwords with usernames or storing username is enough to authenticate the user?
I use cookie to store user credentials. I have two questions:
1- Is hashing cookies necessary? Using for example md5
2- Should I store passwords with usernames or storing username is enough to authenticate the user?
Cookies can be edited by the user, as a penetration tested, I would say storing any user specific data used for authentication is a bad idea.
The best way to store this is in sessions, that way it is server side and the data is only in the scope of that user/connection.
Don't store credentials in cookies or sessions or anywhere other than as hashes in a database.
What you're supposed to use is a session id cookie. PHP creates one automatically when you call session_start
. The session will contain all the data pertaining to identification of the user, like the user-id (you probably just need the user-id, nothing more).
Sessions are stored on the server, so they're tamper-safe.
Cookies are stored by the client so they're wholly unreliable. Use cookies for preference things like language selection or "yes I've seen your popup ad".
salt + md5
is not strong enough to store passwords. Use the built in PHP functions that deal specifically with passwords. See http://php.net/manual/en/function.password-hash.php for more info.