SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Setting an encrypted password cookie

    If passwords are stored in a user database as encrypted strings, using the crypt() function,
    should passwords be stored in cookies as the encrypted strings from the database,
    or is this a security flaw of some sort?

  2. #2
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,832
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Passwords are never stored in cookies encrypted or not. That would be a huge security flaw.

    Create a unique user ID (32 randomly generated characters or more), store that ID in the cookie with a corresponding entry in a database with which to determine the user's ID and other access privileges.

  3. #3
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, thanks.

  4. #4
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cheesedude View Post
    Create a unique user ID (32 randomly generated characters or more), store that ID in the cookie with a corresponding entry in a database with which to determine the user's ID and other access privileges.
    I find it easier to simply store the session_id in the cookie and then use $_SESSION to store the user's ID, then there's no need to create an entry in the database to match the user (unless you store sessions in the db but that's another subject).

    I don't store the password in the session. However, sometimes I choose to store the hash of the password in the session (actually, it's a hash of what is stored in the database so it's a hash of a hash of the password). Then I use this hash on every page request to check if the password the user used to log in with is still valid. In this way if the password is changed - either by the user or directly in the database by an admin - then all sessions of this user are immediately invalidated so it's good for security.

  5. #5
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Lemon Juice View Post
    I find it easier to simply store the session_id in the cookie and then use $_SESSION to store the user's ID, then there's no need to create an entry in the database to match the user (unless you store sessions in the db but that's another subject).

    I don't store the password in the session. However, sometimes I choose to store the hash of the password in the session (actually, it's a hash of what is stored in the database so it's a hash of a hash of the password). Then I use this hash on every page request to check if the password the user used to log in with is still valid. In this way if the password is changed - either by the user or directly in the database by an admin - then all sessions of this user are immediately invalidated so it's good for security.
    That's a good idea. I hadn't considered the scenario of a password change during active sessions. Although, I am curious why you re-hash the already-encrypted password in the session variable.

  6. #6
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Morthian View Post
    That's a good idea. I hadn't considered the scenario of a password change during active sessions. Although, I am curious why you re-hash the already-encrypted password in the session variable.
    You are right, technically the password in the db is already hashed so re-hashing is not necessary. I think I'm a bit too paranoid on security in this case and while a simple md5 or sha1 is very cheap so I do it

  7. #7
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Lemon Juice View Post
    You are right, technically the password in the db is already hashed so re-hashing is not necessary. I think I'm a bit too paranoid on security in this case and while a simple md5 or sha1 is very cheap so I do it
    Okay, I figured that was probably the case, but I can definitely relate.
    Thanks for the advice. =)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •