Web Hosting Talk






PDA

View Full Version : Cookies for login (PHP,MySQL)

Penguin
08-07-2003, 09:08 AM
Ok, I'm making this page. It shall have a user system, with all the members stored in a mysql database.

Question: for the login, I want to set a cookie on the client's machine, so he doesn't have to log in every time he visits the page.
But what should I store in the cookie?
I've seen someone store the md5 hash of the password, and the username.
Another guy made a md5 hash of the password, email, username all together and stored it.
I've also heard that it's not safe to store the password in a cookie.
So what to do? Any ideas? (Also, what's a good way to check the client's cookie, when he visits the page.)

Thanks in advance.
ruler
08-07-2003, 09:18 AM
If you are using PHP, just use sessions. If you're using another language, I've made functions similar to what sessions do, specifically for C, using a "session id". Perhaps that should be your approach, make a "sessions" table with a randomly generated string, set it in the cookie, and have it linked back to the guys account.
Penguin
08-07-2003, 09:40 AM
Yeah, PHP, as the topic implies.
But I want to store the data in a cookie, and not use session_start() etc.
ruler
08-07-2003, 09:59 AM
oops.. breezed through the part where he wont have to login when he comes back...just use an md5 of the password then and compare.
Penguin
08-07-2003, 02:09 PM
Ok thanks, but I've heard that it's unsafe to store the password, hashed or not, in a cookie.
Well, are there any alternatives which I'm not aware of? Like, is it possible to do this _without_ storing the password? :)
ruler
08-07-2003, 02:39 PM
If the password is MD5 hashed, they could only "unhash" it if they knew the password.

User connects to website, sends hashed cookie.
Webserver connects to mysql, looking to match the MD5 with the one stored in the DB.

If success, logged in.
No success, delete cookie and logout.

If you are looking for a secure way to do this, I suggest you make your users login everytime. Either way, MD5 in cookie isn't terribly insecure.
Burhan
08-07-2003, 03:06 PM
Storing encrypted cookies is not a big security problem, however, if you are pranoid about that stuff, then like other people have suggested, store the information in a database.

If you are looking for some examples, try this excellent tutorial on zend :

http://www.zend.com/zend/tut/authentication.php

hth