How would I properly write a script to set cookies to remember a user's username and password upon checking a checkbox on the login form?
Also, if this could be done in PHP please let me know.
- 1Maybe remember the username, but not the password. You don't need to store the password anywhere but in your user table on your server, and even then it needs to be hashed using a strong hashing algorithm (minimum, sha1).Jared Farrish– Jared Farrish2011-06-11 22:50:54 +00:00Commented Jun 11, 2011 at 22:50
Add a comment |
4 Answers
The best approach to store password remembering stuff is storing as md5 hashes along with some browser specific data. For example, you store a string such as
username-4155b1b6e53ad73e06c4c58e709cdeea19915ea84de517500d9ba3280e27cf59 For example, you could generate this string in PHP like this
$string=$username.'-'.md5(substr($http_user_agent, 5, 10)) .md5($password).md5(substr($http_user_agent, 0, 10)); Our objective is making our string sufficiently complex. In the login stage, we extract password md5 with the method that only we know.
$somearray=explode('-', $string); $username=$somearray[0]; $passwordmd5=str_replace(md5(substr($http_user_agent, 0, 10)),'',str_replace(md5(substr($http_user_agent, 5, 10)),'', $string)); and now, we can do the comparison in our database like this,
select * from users where username='$username' and md5(password)='$passwordmd5'; HTTP USER AGENT stuff eliminates a bit the risk of unauthorized usage of the cookie string. Although an unauthorized person stoles the cookie, (s)he cannot use this with another browser. If we had not done so, someone that has the same string could behave as if he has the password and could login as our real user.
Comments
In PHP, set a cookie with the session information (username, password) by copying the appropriate values from $_SESSION into $_COOKIE using set_cookie. When the user visits a page, check first for the existence of $_SESSION variables, then for $_COOKIE variables. If the $_COOKIE variables exist but the $_SESSION ones don't, copy from $_COOKIE into $_SESSION. (That is, if the user checks the box.)
8 Comments
Jared Farrish
If there is a session setup, the only thing the cookie should do is point to a saved (in DB) session that can be re-initialized. I disagree the client needs the username and password saved in a cookie at all. And the session doesn't need the password saved in it, either, IMO.
Ry-
@Jared Farrish: Not the password, password hash. And that's a matter of security, it doesn't change the way you would do it.
Jared Farrish
Fair enough. It's worth pointing out it's bad practice and unnecessary with sessions. :)
Marc B
set_cookie() won't change $_COOKIE either. That superglobal is populated at script start-up and then is not touched by PHP again for the life of the script. Changes to cookies done via set_cookie() won't appear until the NEXT script invocation when the superglobal is rebuilt.Ry-
@Marc B: ... so? The next time they visit a page will result in another script invocation...
|
You could do as suggested by the @minitech as above. However storing password information in a cookie is not a good idea. It can easily be extracted from the computer.
You are better off generating a one time hash that can be used to login once and store that in a cookie. Once its used its invalidated. While its not perfectly secure (About as secure as a session anyway, force https if you want it to be more secure), it does not compromise the users password.
Users often use the same password on multiple sites. If its compromised on one site, its easier to get into that users accounts on other sites.
Comments
$somearray = explode('-', $string); $username = $somearray[0]; $passwordmd5 = str_replace(md5(substr($http_user_agent, 0, 10)),'',str_replace(md5(substr($http_user_agent, 5, 10)),'', $string)); 
