secure auth lib (article of Tim)

nightowl

I have a question about the article of Tim Perdue on this site about User Authentication ...

http://www.phpbuilder.com/columns/tim20000505.php3?print_mode=1

I wonder how secure this really is. If it is easy to spoof 1 cookie (like a session ID), then it is as easy to spoof 2 cookies, I guess ? I mean, what does the extra cookie add as security?

Does anybody have a full proof secure auth system ?

goa103

hello,

I don't think he uses 2 cookies but 2 sessions. Using cookies for an authentication is nonsense. I use 2 session variables to handle my auth. But as long as your form are not SSL, everything can be spoofed. so use 1 session for the username and an other one for the encrypted password. And never forget to store your password as ENCRYPTED password and NOT plain password. use md5 PHP function asap.

nightowl

well, he may be using 2 sessions, the session ID's are still stored as cookies on the users browser and as easily spoofable as 1 cookie. The extra session doesn't add much to the security of the script, I guess?

goa103

hi,

well It depends of what they mean by "spoof". I am French and that word doesn't really mean anything to me 🙂
spoof: easy to know how to create your own cookie or session file.
spoof: easy to grab info that are exchanged between the clients and server

what do you think ?
cookie is very easy to spoof (to create). but session use a random filename. moreover if you use session, you have 2 sessions: username and password. if the client supports JS/cookies then create a username cookie so it won't have to enter it again. only the password session is critical. I don't think using a magic number in it is useful. The encrypted password itself is sufficient. Don't you think ?