Is there a relatively secure way to store the password in the browser cookie (for remembering the login information) in the cookie without creating an extra column for hash in database? Thanks.
Asked
Active
Viewed 2,606 times
4
-
so if the cookie gets deleted, they lose their ability to authenticate? – jlmakes Mar 08 '11 at 13:13
-
1hm, database would be better, but if you do it like adam said it´s tolerable... – Tobias Mar 08 '11 at 13:14
-
@Shango - Why would that happen? – Adam Hopkinson Mar 08 '11 at 13:14
-
2The cookie will also have to be sent over https, otherwise someone could just authenticate with a replay attack – GordonM Mar 08 '11 at 13:16
-
@Shango: If a user wish to remember his password, then i suppose i should store it in the cookie. of course if the cookie is deleted, the user would need to login again. – Jay Mar 08 '11 at 13:16
-
Storing passwords in session is nevertheless better than cookie. Besides, you save on bandwidth (storing in session does not require to send all information in the session, storing in cookie sends the data back and forth the server). No matter how secure your password is on the cookie, it can be cracked. – mauris Mar 08 '11 at 13:22
4 Answers
10
You should never ever store plaintext or even decryptable passwords in your database unless you have generated them and the user cannot enter a custom one!
The most common way is storing the hash of the password in the cookie which is also in the database. However, this allows anyone to login by just knowing the hash - without access to the original password. So don't go by that way even though it's obviously the easiest one.
A secure approach would be storing a random, unique "login hash" in the database and setting this hash plus the user's ID in the cookie. That would not only make the password hash useless for logging in but also allow you to create a "log out everywhere" feature.
ThiefMaster
- 310,957
- 84
- 592
- 636
-
-
2The other common way is just using a session cookie. This provides enough indirection as it's a random unique hash by itself. – mario Mar 08 '11 at 13:28
-
That's seldom used for "stay logged in"-like functionality though. – ThiefMaster Mar 08 '11 at 13:32
5
Store a salted hash of the password in the cookie
$salt = 'snfcikkfbnvekrew';
$cookie_value = md5($salt . $password);
Adam Hopkinson
- 28,281
- 7
- 65
- 99
-
-
And use a user-specific salt - although that would require another column in the db – Adam Hopkinson Mar 08 '11 at 13:15
-
1I wouldn't say it's secure though ... granted, you won't be able to find out the password, but if someone gets their hands on the cookie, they're in through the door. Session IDs at least are context sensitive, time out, are made redundant ... this could last in perpetuity. – Jeff Parker Mar 08 '11 at 13:15
-
@#user-specific-salt: Not if you use the userid or his email address (usually people need to enter their password when changing the email address so updating the password hash would not be a problem in this case) – ThiefMaster Mar 08 '11 at 13:15
-
-
Or at least sha1 if you don't want to rely on mhash being available. – ThiefMaster Mar 08 '11 at 13:22
2
Storing the password, or a representation of the password in a cookie is a very bad idea. Granted, you can protect the cookie so that reading the password isn't possible, but if the cookie is intercepted, someone else can set that cookie, giving them the full permissions of the previous user up until the point that that password is changed.
With direct machine access, it would be possible to steal the cookie even if HTTPS were used, and then steal a person's full access even without knowing the password value, again, until they change that password.
It may be possible to do it securely via some obscure method of time specific hashing, but my recommendation is not to do it at all. Use sessions instead, and try to store an internal identifier rather than an external one. If a session is compromised, the consequences are still serious, but generally less so as the session will expire, and sessions lend themselves well to other forms of security (IP lockdown, request sequencing, etc).
Jeff Parker
- 7,367
- 1
- 22
- 25
0
Short answer: never store passwords in cookies or- if unsalted- anywhere. Don't. In your scenario JSON web tokens (JWT) could be used to store authorization on client side.
andig
- 13,378
- 13
- 61
- 98