Re: Storing password in cookie

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 09 April 2005 02:18, Computer Programmer wrote:
> What is a better way to store password in a cookie?
>
> md5()?
> base64_encode()?
> mhash()?
> mcrypt_generic()?
> crypt()?

It doesn't matter how you encrypt it.

DO NOT STORE PASSWORDS ON USERS COMPUTER

I hope that's clear enough.

What you can do, and in fact I do for production sites is when the user logs 
on, you create an unique identifier and make a hash from it using your 
favorite encryption method. (sha1, md5, crc32).  I like sha1.

Save that hash in a temporary table and link it to the user's ID.  Set an 
exipry date and extend that on each subsequencial request.

Additionally you can save the IP number there as well.  But that can lead to 
issues if they are connected trough a firewall, router, or proxy.

Think of it as assigning a temporary password, only it is transparent to the 
user.

Structure

Login
	Password Validated
		Create unique id
		save in connections table 
		set cookie with unique id and userid

 Page Request
	Check for cookie
		lookup unique id in connections table
		id expired?  No -> User still loged in
	No Cookie
		Do Login

This way, you automatically log out users that are logging in on another 
computer.

Kind regards


Andy

-- 
Registered Linux User Number 379093
--
Feel free to check out these few
php utilities that I released under the GPL2 and 
that are meant for use with a php cli binary:
http://www.vlaamse-kern.com/sas/
--

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux