|
Posted by Andy Pieters on 04/09/05 08:51
On Saturday 09 April 2005 02:18, Computer Programmer wrote:
> What is a better way to store password in a cookie?
>
> md5()?
> base64_encode()?
> mhash()?
> mcrypt_generic()?
> crypt()?
It doesn't matter how you encrypt it.
DO NOT STORE PASSWORDS ON USERS COMPUTER
I hope that's clear enough.
What you can do, and in fact I do for production sites is when the user logs
on, you create an unique identifier and make a hash from it using your
favorite encryption method. (sha1, md5, crc32). I like sha1.
Save that hash in a temporary table and link it to the user's ID. Set an
exipry date and extend that on each subsequencial request.
Additionally you can save the IP number there as well. But that can lead to
issues if they are connected trough a firewall, router, or proxy.
Think of it as assigning a temporary password, only it is transparent to the
user.
Structure
Login
Password Validated
Create unique id
save in connections table
set cookie with unique id and userid
Page Request
Check for cookie
lookup unique id in connections table
id expired? No -> User still loged in
No Cookie
Do Login
This way, you automatically log out users that are logging in on another
computer.
Kind regards
Andy
--
Registered Linux User Number 379093
--
Feel free to check out these few
php utilities that I released under the GPL2 and
that are meant for use with a php cli binary:
http://www.vlaamse-kern.com/sas/
--
[Back to original message]
|