Hi all.

What methods do you use when storing users login info with cookies to ensure they are not harvested by spyware and potentially used to login by malicious users?

Is there a way to generate a string that is unique to that machine then check it when the user logs back on?

Obviously using raw usernames and passwords is a bad idea but what other things should be considered?

Thanks, Rob.

Store hashed passwords to database and store that to a cookie. That's one possibility (allthough it could be improved, it might be considered somewhat secure).
After the user comes back to your site, just take that info from his cookie (ensure it's SQL safe first) and check it against database.

That's good for not letting a hacker have the password directly, but what stops them copying the cookie and then using it on a different machine?

First, the only domain that can read the cookie is the one that set it (unless specified otherwise when setting the cookie).

And second, what prevents me from copying my WHT cookie and pasting it to my laptop? :)
Nothing.
Only thing you need to worry about is that cookie should contain hashed data that's difficult to amend to fit your system (guessing the hash so the attacker can login as someone else).

how do you mean "contain hashed data"?

Sorry if this is a daft question...

R*

Is there a way to generate a string that is unique to that machine then check it when the user logs back on?

A hash would correspond to what you have asked in that quote.

I presume that you know what a hash is. In case you don't - http://www.google.com/search?hl=en&q=define%3Ahash&btnG=Google+Search

When your users register, they usually choose a password. Most of the user systems store hashed versions to database (using SHA1 or MD5 algorhytm).
That way no one knows what's the actual users password (except user himself).
That's why it can be considered "safe" to put that hashed password to a cookie since reversal process cannot be done (allthough that's another issue).

I hope this is somewhat more clear. If not I'll try to make it more understandable..

I can see the point in encoding the password etc.

But what would stop me writting some spyware that harvests, say, amazon.com cookies, send them to me and then letting me use them to access peoples accounts?

What stops a user from taking their cookie and using it on another machine? Like above -- not much... Although perhaps you could do something like store their IP Address in a cookie, and then match it up from their first IP Address in the DB -- this is considering "everyone" has static ip's... otherwise it could cause problems.

Other than that there is nothing.

Originally posted by lucid
I can see the point in encoding the password etc.

But what would stop me writting some spyware that harvests, say, amazon.com cookies, send them to me and then letting me use them to access peoples accounts?

If you were to write a spyware, why limit yourself to cookies? Why don't you search for history to see credit card numbers etc?
As 2detailed said - you can increase security by binding users to 1 IP, but also - lots of people are on dialup and have their IP changed at every reconnect.

Thanks for the advice guys, you've confirmed what I thought.

Summing up, never store anything on a clients pc that has any real value.

I had a quick look at Amazon and even tho you get a "personalised experience" you can't make an order based on logging in by cookies alone.

Thanks, R*

The easiest thing to do is store the username in raw or encrypted form (two way). The best thing to do with the password is md5() it. That is the safest and most widely used method.

And perosnally I dont think that a piece of cookie stored with an encrypted username and password would do any harm