4

I have a mysql table with userid, usernames and passwords and if the given password matches with the given username I create 3 cookies:

  • userid
  • username
  • userpassword (md5) - I create this because I recheck the password and the username from the cookies when the user saves important settings (without asking the user to complete forms).

I'we heard that this is not secure and I should use a cookie only to store session id, and to store this data in sessions, but how would look the code for this?

And please explain the code, because I'm a beginner in PHP. Oh and I want to remember the users for a long period, I don't like websites where I need to login each time again. Please help me and explain me why is a method more secure than other?

Thanks!

Thanks for your answers! I need to compete my question: my website does not require higher security than a simple forum, so can somebody provide a code that has a only basic security level?

YakovL
  • 7,557
  • 12
  • 62
  • 102
Csabi
  • 661
  • 10
  • 20
  • Yes, use sessions rather than storing the password as a cookie, even if it's md5'd. Take a look [here](http://stackoverflow.com/search?q=PHP+Login+cookies+sessions) for more information. – Shaz Apr 23 '11 at 13:16
  • Don't use MD5, it's not as safe as it was thought it was. – Francisc Apr 23 '11 at 14:01

3 Answers3

3

First of all, when you say you're storing "passwords" in the database, please make sure you are storing encrypted passwords. If my password is "12345" and you're storing "12345" in your database, you've made it possible for somebody who gains access to your database to see everybody's passwords, and that's just horrifyingly bad.

So, at the very least, use a SHA1 or some other hash algorithm and store that in the database.

But on to your actual question, PHP has support for "sessions" built in, such that you don't need to worry about the low-level mechanics.

Call session_start(); at the top of your script (usually near the beginning of your configuration file or header file, or some other shared script that's included everywhere), and then you can store and retrieve information in the $_SESSION superglobal array.

So you might write:

$_SESSION['username'] = 'bob';

And then on some other page:

echo 'Hello, ' . $_SESSION['username'];

That session information will be available on any page where session_start(); has been run, and anything you put in $_SESSION is stored only on the server, so it's not possible for someone to see that information just by snooping through my browser cookies.

However, that does not mean that sessions are just inherently completely secure. Sessions work by storing a "session key" in a cookie, so my key might be "946433D47A824675DCB87AA372F31A7D9B255530F87A79264E416C253E9AB00E". Every time I visit a page, PHP retrieves all the $_SESSION data associated with that key, and makes it available to you.

But if someone discovers that key (again by, say, snooping through my browser cookies, or just "overhearing" a request I make to the server over an open Wi-Fi network), they could send the same key and PHP would gleefully give them access to my session.

If you only allow traffic over https this problem is largely mitigated, but it's still definitely worth understanding what's happening and how it might be exploited in situations where security matters.

VoteyDisciple
  • 37,319
  • 5
  • 97
  • 97
  • i dont think that PHP session key is really long as "946433D47A824675DCB87AA372F31A7D9B255530F87A79264E416C253E9AB00E" but definitely strong enough to guess ! – Sourav Apr 23 '11 at 13:23
  • Votey, can you make SESSIONS last longer than the current browser session? – Francisc Apr 23 '11 at 14:06
  • 1
    The session key can be as long or short as you want, but I believe by default you are quite correct that it's shorter. @Francisc See the session_set_cookie_params() function for control over how the session cookie is saved. – VoteyDisciple Apr 23 '11 at 14:54
  • Session keys are by default 16 chars if I'm not mistaking. Thanks for the tip, Votey. Good one. – Francisc Apr 23 '11 at 17:53
0
<?php
session_start();

$pwd=sha1($_POST['pwd']);
$login=$_post['username'];

 $stmt = mysqli_prepare($con, "SELECT UID from LOGIN where userName=? and password=?");
 mysqli_stmt_bind_param($stmt, "ss", $login,$pwd);
 mysqli_stmt_execute($stmt);
 mysqli_stmt_bind_result($stmt, $uid);
 mysqli_stmt_fetch($stmt);
 mysqli_stmt_close($stmt);
 if (!is_null($uid))
 $_SESSION['uid']=$uid;
?>

use SHA1, coz it is better than md5 and is faster too !

Sourav
  • 17,065
  • 35
  • 101
  • 159
  • you need to connect with the database before running the SQL ! – Sourav Apr 23 '11 at 13:25
  • Faster is bad for password hashes – remember if the attacker needs to brute force them, then that longer each hash takes to calculate, the strong the schema. Though, despite that, SHA1 is probably better than MD5 for hashes anyway. – Rich Bradshaw Apr 23 '11 at 13:54
  • That's not true, you can run SQL commands before connecting as well... You'll get errors, but you can call the functions nonetheless. :) – Francisc Apr 23 '11 at 14:00
  • @Francisc i can write PHP program and host it in a .NET server, though it will not execute, but still it will not give any error :P – Sourav Apr 24 '11 at 02:23
0

using md5() function in php is not secure until and unless you are using ssl connection because this php function gets encrypted only after the form values reache to server. So the password you thought of encrypted gets transmitted in plain text format over the network.It is possible to intercept during the transmission, because form elements gets submitted in plain text format. To get rid of this security loophole, you can encrypt the password in the client level. such as using JavaScript. Such JavaScript codes are readily available in the internet like http://phpjs.org/functions/md5:469

To make it more secure you can apply md5 in client level for few times, like 2 times.

World
  • 2,007
  • 7
  • 27
  • 37
  • Don't actually apply the MD5 twice though, as that doesn't help things. If it made it better by applying twice, the algorithm would already do that! (Problem is that the 2nd hash is trivially reversible, as there is small number of possible inputs) – Rich Bradshaw Apr 23 '11 at 13:53
  • Applying md5 in the client also doesn't make anything more secure. If you send the server your password as a hash, the hash essentially becomes your password. – cabbagebot May 15 '14 at 15:16