| Remembering Logins [message #3006] |
Thu, 11 February 2010 06:54 |
vash
Messages: 2
Registered: August 2009 |
Shiny and New |
|
|
My next thorny problem is one that seems to have caused some problems for a number of people, but it really can't be too hard. Trouble is, I just can't quite get my head around it!
The concept is simple, a user initially registers and logins to a site - no problem. Now, a week later (say), they return to the site and should automatically be logged in.
Now session timeouts I've set loosely to 24 hours, however persistent cookies would seem to be the way forward here... or are they?
Lets assume I just set a cookie once the user has logged in - which is basically md5( <a random number> ), which I also store in the database.
Now when the user returns, I can see if that cookie exists, look it up in the DB .. job done.
This doesn't sound right to me. For one, it would allow the cookie to modified and with some luck, it becomes possible to login as somebody else.
So next idea, store two values : md5( <a random number> ) and md5( <the previously calculated hash>, <the user id> ).
Now we can perform a stricter check to ensure the hash AND the user ID match, however it's still possible to modify both of these values and login as somebody else.
Okay, but by using good hashing (sha256) and salting (1024 byte plus blocks), modifying these values is not going to be an option, however I still think it's not quite strong enough.
Of course, the hash could lock in the browser UA string (considering if they change browsers the cookies would be different, however upgrading the browser would cause a fail as well - though this may not be a problem), or perhaps lock the IP address (but as we know - once somebody sits behind a proxy, PHP has no clue what the real IP address).
So I'm interested in peoples thoughts in how this could be resolved - ideally ensuring some form of security, without sacrificing usability.
[Updated on: Thu, 11 February 2010 06:55]
Suhana
|
|
|
Members
Search
Help
Register
Login
Home
