1

My website has a login feature and therefor needs to save the user's information in a cookie so that it they don't have to log in every time they go on the website.

To my understanding, cookies aren't secure unless some extra checks are put in place, so I've come up with a way that I think should make them secure (if not, please tell me how it should be):

  • create a table in the database that holds cookie information
  • within the table, there are two columns; one that holds the user's username, and another that is some large random number (how would I generate the random number in code?)
  • upon logging in to the website (if the cookie already exists), it checks with the database to see if the username and the random number match
  • if it's the first time the user is logging in (the cookie doesn't exist), it fills the required tables in the database and sets a cookie
  • upon logging in successfully, a new random number is assigned to the database as well as the user's cookie

Does this seem like a viable approach?

Also, if multiple pages require to have the person's username from the cookie, should it verify with the database each time it's required or should it just use $username = $_COOKIE["username"]; without any verification?

Thanks.

John
  • 81
  • 8
  • +1 - this sounds interesting. However, a quick SO or google search about "securing cookies" gives many results which should cover most of your concerns. – Saturnix Sep 08 '13 at 21:23
  • This has already been asked numerous times here on SO and has been solved for a long time: http://jaspan.com/improved_persistent_login_cookie_best_practice – PeeHaa Sep 08 '13 at 21:27
  • @Dagon That question and answers are missing some crucial parts for a secure remember option. I'm pretty sure there is a dupe somewhere, but all the crap dupes make it very hard to find it :( – PeeHaa Sep 08 '13 at 21:31
  • Doesn't answer the few questions I have though: how would I generate the random number in code? Also, if multiple pages require to have the person's username from the cookie, should it verify with the database each time it's required or should it just use `$username = $_COOKIE["username"];` without any verification? – John Sep 08 '13 at 21:37
  • 1
    hash not random number `md5(uniqid(rand(), true));` << with several layers of overkill –  Sep 08 '13 at 21:40
  • any credentials that were stored in the cookie/database will of course match if the cookie was stolen. Some possible additional checks could be things like the user os and browser version and perhaps their locale which could be obtained from the ip address – andrew Sep 08 '13 at 21:40
  • OS and browser are easily spoofed. Some people have dynamic IP's so that's also not reliable. When storing series a possibly attack would at least be visible to the user. @andrew – PeeHaa Sep 08 '13 at 21:42
  • Those few question you got are not in your question or are answered in the link – PeeHaa Sep 08 '13 at 21:43
  • @PeeHaa thanks for the reply, I realize that a dynamic ip is not a reliable check, but what i meant was that the county/region could be obtained and stored. that at least should be consistent – andrew Sep 08 '13 at 21:46

0 Answers0