0

When user logs in with remember me checked, I create a random token using md5 for the cookie. 

md5(uniqid(rand(), true));

I append users IP address to their unique user_id and hash that using bcript. (I DO NOT ADD THIS TO THE COOKIE) I store the bcript hash and random token that uses md5 along with their user id into a table. The row will have an auto increment value. The cookie contains the md5 and the auto increment value appended to it.

When the user visits the website, I take the auto increment value of the cookie to look up the md5 hash. If there is a match I hash the users IP address along with the user_id (that was stored in the table) and see if it matches the hash value stored in the same row. If it does they are logged in and I create another md5 hash for their cookie.

I know md5 isn't secure on its own, but I wondered if the extra steps I take with the brcript and IP address makes it safe, or anyone can see some massive security holes in this.

edit: I'll just add that when using Bcript for the ip and user_id, I'm using the php function password_hash that also creates a salt.

Zoe
  • 27,060
  • 21
  • 118
  • 148
  • Check this out: http://stackoverflow.com/questions/10369783/encrypting-users-ip-address-before-storing-it – Anees Saban Dec 19 '15 at 11:11
  • 1
    See: http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website and http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication - Also if you are using PHP 7, skip md5 and use `random_bytes()` for your token. – Leigh Dec 19 '15 at 11:34
  • Thank you @Leigh I have read that answer before. But the problem is that if someone stole the cookie with that information they could log in as someone else. –  Dec 19 '15 at 11:42
  • I can suggest you to create a secret keyword than hash with md-5 then hash the IP.Concatenate two string and then hash with md5 again.. –  Dec 19 '15 at 11:46
  • Why MD5 and not SHA256? MD5 really should not be used for new work. – zaph Dec 19 '15 at 14:16
  • I suggest you use HTTPS on your site if session hijacking is a big issue. – Andrea Dec 19 '15 at 15:05
  • @zaph Yes I I think will probably use SHA256. The original idea was because I'm using Bcrypt to store in the database, which is apparently quite slow, it might be best doing a quicker hash for the cookie. I think from what I can tell SHA256 is quicker than Bcrypt but safe than md5 so I'll give that a try. –  Dec 19 '15 at 15:21
  • (didn't realize pressing enter posts a comment) also having an md5 in a cookie might tempt hackers I suppose by looking unprofessional. –  Dec 19 '15 at 15:22
  • @Andrea I've no idea if it will be an issue or not yet. I've not made a website before. –  Dec 19 '15 at 15:23
  • https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2.1 – Scott Arciszewski Dec 20 '15 at 03:29
  • I'm voting to close this question as off-topic because the only real answer is "you're entering strange territory, don't use MD5". – Scott Arciszewski Sep 12 '18 at 19:58
  • Please don't make more work for other people by vandalizing your posts. By posting on the Stack Exchange (SE) network, you've granted a non-revocable right, under the [CC BY-SA 3.0 license](//creativecommons.org/licenses/by-sa/3.0), for SE to distribute that content (i.e. regardless of your future choices). By SE policy, the non-vandalized version of the post is the one which is distributed. Thus, any vandalism will be reverted. If you want to know more about deleting a post please see: [How does deleting work? ...](https://meta.stackexchange.com/q/5221/271271) – Makyen Oct 12 '18 at 18:19

0 Answers0