开发者

PHP storing password in cookie

开发者 https://www.devze.com 2023-02-15 17:54 出处:网络
Is there a relatively secure way to store the password in the browser cookie (for remembering the login information) in the cookie without creating a开发者_如何学JAVAn extra column for hash in databas

Is there a relatively secure way to store the password in the browser cookie (for remembering the login information) in the cookie without creating a开发者_如何学JAVAn extra column for hash in database? Thanks.


You should never ever store plaintext or even decryptable passwords in your database unless you have generated them and the user cannot enter a custom one!

The most common way is storing the hash of the password in the cookie which is also in the database. However, this allows anyone to login by just knowing the hash - without access to the original password. So don't go by that way even though it's obviously the easiest one.

A secure approach would be storing a random, unique "login hash" in the database and setting this hash plus the user's ID in the cookie. That would not only make the password hash useless for logging in but also allow you to create a "log out everywhere" feature.


Store a salted hash of the password in the cookie

$salt = 'snfcikkfbnvekrew';
$cookie_value = md5($salt . $password);


Storing the password, or a representation of the password in a cookie is a very bad idea. Granted, you can protect the cookie so that reading the password isn't possible, but if the cookie is intercepted, someone else can set that cookie, giving them the full permissions of the previous user up until the point that that password is changed.

With direct machine access, it would be possible to steal the cookie even if HTTPS were used, and then steal a person's full access even without knowing the password value, again, until they change that password.

It may be possible to do it securely via some obscure method of time specific hashing, but my recommendation is not to do it at all. Use sessions instead, and try to store an internal identifier rather than an external one. If a session is compromised, the consequences are still serious, but generally less so as the session will expire, and sessions lend themselves well to other forms of security (IP lockdown, request sequencing, etc).


Short answer: never store passwords in cookies or- if unsalted- anywhere. Don't. In your scenario JSON web tokens (JWT) could be used to store authorization on client side.

0

精彩评论

暂无评论...
验证码 换一张
取 消