SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Addict
    Join Date
    Dec 2007
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    what do you store in remember me cookies?

    Hey guys,

    Implementing a cookie to remember a user once they've logged into a site, via a remember me checkbox or similar, is simple enough - but what do you actually STORE in that cookie? I've seen a few examples, some people store a hash of the username and/or a random number, others suggest storing the user's I.P. in the database and checking that instead?

    I was thinking that every time a user logs they get a random number assigned to them in the database, similar to a session id, this is stored on their computer in a cookie, and on loading the page, if the cookie exists on their computer then the user is automatically logged in and gets a new random number in the appropriate db table..

    .. how do you guys do it?

  2. #2
    SitePoint Addict
    Join Date
    Jan 2008
    Posts
    203
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    a one way hash of the password hash and the user id

  3. #3
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    I store a token, similar to the session ID, which is generated randomly and stored in the database. There is no need to ever put the user's password in a cookie even if hashed or encrypted. Tokens are cleaned up after lack of activity from the users, etc.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The only thing you should ever store in a remember me cookie is the token that matches the one stored in the database record on the server that contains the rest of their data.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    SitePoint Addict
    Join Date
    Jan 2008
    Posts
    203
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    I store a token, similar to the session ID, which is generated randomly and stored in the database. There is no need to ever put the user's password in a cookie even if hashed or encrypted. Tokens are cleaned up after lack of activity from the users, etc.
    why not, its a one way hash of the users database stored password one way hash

    try to break that one...

  6. #6
    SitePoint Guru
    Join Date
    Dec 2005
    Posts
    982
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One way hashes can be cracked -- especially if you use a common one like md5 or sha1. All it takes is a rainbow table and some time.
    MySQL v5.1.58
    PHP v5.3.6

  7. #7
    SitePoint Zealot
    Join Date
    May 2008
    Location
    Montreal
    Posts
    155
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Usually I store the md5 of a uniqid() call with rand() and whatnot (see the PHP manual). I also store this hash in the database and validate auto-logins against it.

  8. #8
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Peter Goodman View Post
    Usually I store the md5 of a uniqid() call with rand() and whatnot (see the PHP manual). I also store this hash in the database and validate auto-logins against it.
    That is basically a description of how to generate a decent token.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  9. #9
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    use a keyed hash:
    http://de3.php.net/manual/en/function.hash-hmac.php

    don't put the password in the token, use a unique identifier
    like the username.

  10. #10
    SitePoint Addict chestertondevelopment's Avatar
    Join Date
    Dec 2005
    Location
    Essex, UK
    Posts
    241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ionix5891 View Post
    why not, its a one way hash of the users database stored password one way hash

    try to break that one...
    Well a hash of a hash is not actually weaker than just a hash but lets not go into the technicalities of hashing. I don't see any reason to hash any user data, why add a dependancy on user data when you can just randomly generate a hash using uniqid and md5?

  11. #11
    SitePoint Addict
    Join Date
    Jan 2008
    Posts
    203
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by chestertondevelopment View Post
    Well a hash of a hash is not actually weaker than just a hash but lets not go into the technicalities of hashing. I don't see any reason to hash any user data, why add a dependancy on user data when you can just randomly generate a hash using uniqid and md5?
    this way if the password is changed on the account the user is not kept logged in...

  12. #12
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ionix5891 View Post
    this way if the password is changed on the account the user is not kept logged in...
    And you can delete the token once they change password just as easily. I actually force the user to login or rather force resubmitting credentials when they try to change account details.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  13. #13
    SitePoint Addict
    Join Date
    Jan 2008
    Posts
    203
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i do that too, doesnt mean they havent visited your site from another pc or browser

    anyways theres no point arguing here since experienced opinion doesn't matter around here

    i need to get back to running my multimilion page view a day sites and writing my masters thesis

  14. #14
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    There is nothing wrong with your method or what you do, I just don't personally agree with it. As such I offered my own solution nothing against you personally, please don't take it as such.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  15. #15
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •