0
    if (strtolower($userDetail["username"]) == strtolower($username) && 
        $userDetail["password"] == hash("sha256", $password . $userDetail["salt"])) {       
        if ($remember == "true") { // Remember Me
            setcookie("logged", "$username", time()+60*60*24*365); // 1 Year
        } else {    
            setcookie("logged", "$username", time()+43200); // 12 Hours
        }
        header("Location: " . getenv("HTTP_REFERER"));
        die();
    } else {
        echo "Invalid login.";
    }

I'm trying to make the best possible login I possibly can. The major problem I'm seeing here is cookies. I'm no expert when it comes to this, so here are my main questions:

  1. What should I be setting my cookie as so someone can not easily duplicate the cookie?
  2. Should I be including the salt into the cookie?
  3. I've heard about tokens in addition to salts and having them change all the time. How is this supposed to work?

And I'm wondering if this call for my cookie above is even valid? What's the right way to be doing this?

$loginCheck = $_COOKIE["logged"];
if (isset($loginCheck)) {
    // logged in
}
Jake Feasel
  • 16,785
  • 5
  • 53
  • 66
Aaron
  • 1,956
  • 5
  • 34
  • 56
  • be careful here: setcookie('logged', $username, time()+43200). Don't use unnecessary double quotes – aletzo Dec 29 '11 at 19:26
  • Check this out : http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication – piotrekkr Dec 29 '11 at 19:32
  • Is providing a valid *logged* cookie the only thing a client needs to do to be considered as logged in? – Gumbo Dec 29 '11 at 19:35

2 Answers2

1

I like to leave the username intact, and have another cookie set as sha1(salt . user . pass)

For instance:

user=Truth
uid=6cb8d1e35e5982a8ef738a8583a5d98d6fe2c484

And then compare using the first cookie, against the database and the known hash.

The way you're doing it at the moment, anyone can copy a cookie and log in with anyone without even knowing their passwords. Just set

logged=Admin expires Jan 1st 5000

And you're good to go. Once you have this second cookie to compare against, you're much safer.

As for the third question, yes, you can even shorten it to:

if (isset($_COOKIE["logged"])) {

But as I stated, you should move to the more secure format I've shown.

See this Absolutely EPIC Tutorial on net.tutsplus.com for more on the subject.

Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
0

I would recommend using a uniqid which is stored on the customer record and then when you validate that the customer has successfully logged in set the cookie with the uniqid from their customer record. This way no one should be able to replicate the cookie. You could also prefix the cookie value with something if you want to ensure it's safe.

I think incorporating the user's password into the cookie is a dangerous idea as people tend to use the same password on other sites and even though it's encrypted in my opinion it's still dangerous. Using a value unrelated to the customer's information I feel is safer.

<?php
/* A uniqid, like: 4b3403665fea6 */
printf("uniqid(): %s\r\n", uniqid());
?>

A reference on how to use uiqid: http://php.net/manual/en/function.uniqid.php

Robert
  • 3,074
  • 3
  • 24
  • 32