Security problems

rulian

it was suggested to me that I not store user passwords in cookies, or if so, to encode it.
I got the crypt($password, .v) thing, but when I go to compare it by either =
"where password = password($password)

OR $password == $password1, either way it wont approve because I cant decode the password, so how would I do that,

cordex

you crypt both passwords using the same salt and compare them. there was a thread on this just a few days ago.
http://www.phpbuilder.com/forum/read.php3?num=2&id=168438&loc=0&thread=168438

[deleted]

Never store a password in a cookie never ever., not even if it is encrypted.

rulian

okay, but my website requires both username and password, unless the users logs in every time, like phpbuilder, I dont have to log in every time i come on, how else can I do this?

Anon

May I introduce you to the wide, wonderful world of databases?

rulian

okay, riddle me this: I need to keep somethign on the client side to hold their login information so that they could log on, having all the data bases in the world wont matter if I cant tell my users apart, I could do ip tracking, but that wont work too good if users are on dialups? So, how else?????/

[deleted]

"having all the data bases in the world wont matter if I cant tell my users apart, I could do ip tracking, but that wont work too good if users are on dialups? So, how else?"

IP tracking is the easiest way; When the user logs on you create a 'secret' number and send it to the client in a cookie. Then you store that information in a database along with the secret.

On every next request you compare the 'secret' and the IP of the request with the secret and IP in the database. If there is a match, the user may logon.

If someone snoops the connection and gets his hands on the secret, he can fake a logon by sending the secret, but he cannot fake is IP so the logon is refused.

The users who are use dialups have bad luck, they will have to logon manually for evey session.