Hi, all,
I've got a member site, all homegrown...and, it's all working, i'm just wondering how you all manage cookied logins. right now, i store the userID and the crypted password to cookie. now, that's pretty good stuff, it works...but we all know that crypt's can be broken if someone wanted to...
so, a "hacker" would just need to get the cookie, find out the alias corresponding to it, then figure out the password with a crypt-cracking loop.
now, right now i'm not too concerned with this, 'cause my cookies are set to expire at -1 anyway, and AFAIK these aren't stored to disk, rather kept in RAM...but I'm goin to setup a "Remember Password" soon, and don't want insecure cookies sittin on a computer.
I was thinkin of maybe comin up with an algorithm (wouldn't have to be difficult, just secret) that meshes the computer's IP address with the password, and crypts them together, so the password can't get moved to another machine, and probably won't be un-encrypted
I also thought of session-storing in MySQL...that might not be a bad idea, I could just store the IP address, date to expire, and IP address that the login is good for perhaps...
anyway, if anybody's got suggestions or favorites among these, lemme know - i'm interested in how others are handling these issues - especially those worried about security
thanks.What programming language are you using to encrypt it? MySql sounds like a better approach to this situation. Is the purpose for your cookie to allow the user to not have to login every time they go to the page?using PHP & MySQL.
ya, i know i could encrypt the passwords with mysql, but i keep them as regular text so i can mail the user if they forgot their password.
after thinking about it, here's what i think i'll do...
add these columns to the user's SQL entry:
login_ip (char(20))
login_expire (datetime)
login_cookie_string (char(50))
The login_ip is the IP for which the login is recognized. login_expire is the amount of time to recognize the user being logged in. The login_cookie_string is just a 50 char random string that i'll change each week for each user.
So..
when a user logs in normally, with the cookie expire set to -1, i'll set their user id to a cookie, and the login_cookie_string to a cookie as well. I'll record their IP, and set my login_expire to some short period of time that acts as a timeout - it'll be updated if the user is active.
when a user logs in and wants to remember their login, i'll set the same cookies, and set my SQL entries too. The thing is, if they login from another computer, i'll not recognize the previous login, since i'm storing their IPs.
anyway, this should be pretty secure, since i can change their random password each day/week..etc..
suggestions? comments?
thanks.Hi Blake,
This doesn't really relate to cookies and logins, but this relates to passwords. I always like to encrypt my passwords in mysql (just to be safe, and for security reasons)
Then in the event of someone loosing their password, they use a script that emails them an url with a special id (which is stored to a mysql table, and expires in 24-48 hours) When the user clicks on the url, a temporary password is created, and emailed to them. They then use the temporary password to login (and of course they can change it later on).
Just an idea if you want to encrypt passwords.
Regards,Can anyone explain to me how to store the cookies in the RAM and not on the hard disk?
I'm using PHP here.
ThanksThis isn't exactly what you wanted (the cookie doesn't stay in RAM), but I believe it is equivalent.
How long do you want the cookie to last? The following code is strict-the cookie will delete if the page is refreshed or left. If you want the cookie to last until the browser is closed you need to delete the delCookie function and the OnUnload statement in the body tag.
<html>
<head>
<script language=JavaScript>
function setCookie(form)
{
document.cookie="Cookie="+[your stuff]+";expires=";
}
function getCookie(form)
{
CookieString=new String(document.cookie);
CookieHeader="Cookie=";
BeginPosition=CookieString.indexOf(CookieHeader);
if(BeginPosition!=-1)
{
//code that executes if the cookie is there.
}
else
{
//code that executes if the cookie is not found.
}
}
function delCookie()
{
document.cookie="Cookie=;expires="+new Date();
}
</script>
<body OnUnLoad="delCookie();">
...
</body>
</html>
</head>If you don't set a cookie expiry date then it only persists until you close the browser down or leave it idle for 10 minutes (or whatever your server timeout is set to)ya, jake, that's a good idea. But.. since we're doing this for security reasons...the same problem arises...If someone got into your table, they could just use the temp password url to login, then change the password.
i like your idea, i'll think about implementing it
thanks for the suggestion..
but,
I've got a member site, all homegrown...and, it's all working, i'm just wondering how you all manage cookied logins. right now, i store the userID and the crypted password to cookie. now, that's pretty good stuff, it works...but we all know that crypt's can be broken if someone wanted to...
so, a "hacker" would just need to get the cookie, find out the alias corresponding to it, then figure out the password with a crypt-cracking loop.
now, right now i'm not too concerned with this, 'cause my cookies are set to expire at -1 anyway, and AFAIK these aren't stored to disk, rather kept in RAM...but I'm goin to setup a "Remember Password" soon, and don't want insecure cookies sittin on a computer.
I was thinkin of maybe comin up with an algorithm (wouldn't have to be difficult, just secret) that meshes the computer's IP address with the password, and crypts them together, so the password can't get moved to another machine, and probably won't be un-encrypted
I also thought of session-storing in MySQL...that might not be a bad idea, I could just store the IP address, date to expire, and IP address that the login is good for perhaps...
anyway, if anybody's got suggestions or favorites among these, lemme know - i'm interested in how others are handling these issues - especially those worried about security
thanks.What programming language are you using to encrypt it? MySql sounds like a better approach to this situation. Is the purpose for your cookie to allow the user to not have to login every time they go to the page?using PHP & MySQL.
ya, i know i could encrypt the passwords with mysql, but i keep them as regular text so i can mail the user if they forgot their password.
after thinking about it, here's what i think i'll do...
add these columns to the user's SQL entry:
login_ip (char(20))
login_expire (datetime)
login_cookie_string (char(50))
The login_ip is the IP for which the login is recognized. login_expire is the amount of time to recognize the user being logged in. The login_cookie_string is just a 50 char random string that i'll change each week for each user.
So..
when a user logs in normally, with the cookie expire set to -1, i'll set their user id to a cookie, and the login_cookie_string to a cookie as well. I'll record their IP, and set my login_expire to some short period of time that acts as a timeout - it'll be updated if the user is active.
when a user logs in and wants to remember their login, i'll set the same cookies, and set my SQL entries too. The thing is, if they login from another computer, i'll not recognize the previous login, since i'm storing their IPs.
anyway, this should be pretty secure, since i can change their random password each day/week..etc..
suggestions? comments?
thanks.Hi Blake,
This doesn't really relate to cookies and logins, but this relates to passwords. I always like to encrypt my passwords in mysql (just to be safe, and for security reasons)
Then in the event of someone loosing their password, they use a script that emails them an url with a special id (which is stored to a mysql table, and expires in 24-48 hours) When the user clicks on the url, a temporary password is created, and emailed to them. They then use the temporary password to login (and of course they can change it later on).
Just an idea if you want to encrypt passwords.
Regards,Can anyone explain to me how to store the cookies in the RAM and not on the hard disk?
I'm using PHP here.
ThanksThis isn't exactly what you wanted (the cookie doesn't stay in RAM), but I believe it is equivalent.
How long do you want the cookie to last? The following code is strict-the cookie will delete if the page is refreshed or left. If you want the cookie to last until the browser is closed you need to delete the delCookie function and the OnUnload statement in the body tag.
<html>
<head>
<script language=JavaScript>
function setCookie(form)
{
document.cookie="Cookie="+[your stuff]+";expires=";
}
function getCookie(form)
{
CookieString=new String(document.cookie);
CookieHeader="Cookie=";
BeginPosition=CookieString.indexOf(CookieHeader);
if(BeginPosition!=-1)
{
//code that executes if the cookie is there.
}
else
{
//code that executes if the cookie is not found.
}
}
function delCookie()
{
document.cookie="Cookie=;expires="+new Date();
}
</script>
<body OnUnLoad="delCookie();">
...
</body>
</html>
</head>If you don't set a cookie expiry date then it only persists until you close the browser down or leave it idle for 10 minutes (or whatever your server timeout is set to)ya, jake, that's a good idea. But.. since we're doing this for security reasons...the same problem arises...If someone got into your table, they could just use the temp password url to login, then change the password.
i like your idea, i'll think about implementing it
thanks for the suggestion..
but,