0

Basically I have an SQL table with 3 values, username, password, and a cookie.

dog - cat - a8bfc7ec7a2b0ba10977fddd59fc403d

On login it checks if the username and password match, then it generates a random md5 hash, inserts it into the database then sets it as a cookie for the user.

Once using the site it will check if the cookie matches up with any in the database to verify they are logged in.

How secure is this system?

egoplant
  • 1
  • **Insecure**; your approach is fairly standard, and it would be secure, though unfortunately MD5 is a very weak algorithm, and can be easily cracked. Consider using something like SHA512 from JavaScript or `password_hash()` / `password_verify()` from PHP instead. – Obsidian Age Dec 10 '18 at 02:28
  • Possible duplicate of [Secure hash and salt for PHP passwords](https://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – Obsidian Age Dec 10 '18 at 02:29
  • 1
    @ObsidianAge He said using a random md5 just as an ID to identify the client, he's not hashing the password. – Enrico Dias Dec 10 '18 at 03:02

1 Answers1

0

If I understand correctly, you are using a random md5 just as an ID to identify the client between requests without using his password. This is similar to a session cookie and will have similar security issues.

If you rely only on this cookie, anyone who steal the cookie will steal the user's account. You could extend the verification by fingerprinting the user, checking the user-agent and anything else that is unlikely to change between requests. Note that the IP may change. You could also still ask for the user's password before important actions, such as changing the user's email or password.

Note that it's not very difficult to access the user's cookies, even a browser extension can do it.

Enrico Dias
  • 1,417
  • 9
  • 21