Crypting/Decrypting

rapmonkey

Now that I know how to set and read cookies (😃), does anyone know how to crypt data in PHP, send it to a cookie, then get it back and decrypt it?

diego25

If you set an encrypted string, which can be decrypted, in a cookie, then it poses security threats because someone could intercept the cookie and decrypt it. Look into one-way encryptions, instead.

Diego

rapmonkey

Well here is what I need to do:

Someone will log into my site with a username and password, which will be stored in a MySQL database. First, the data needs to be checked to make sure the username/password match. Then, I need to set a cookie to somehow keep them logged into the site (not sure how this all will work). What is the best way to do this (and how would I do it)?

id10t

I think sessions will do what you want... I've not gotten to that point (or need) yet...

DarkDragon

PHP has a built in encryption, MD5. This is one way encryption, therefore you cannot decrypt it. However, you can easily encrypt it using the function MD5(). Although decryption is unavalible, you can encrypt the user's password into the database, and save that. Whenever the user wants to log in, you save the encrypted value of the password in the cookie. To verify them being logged in, just get the encrypted password from the cookie (which it should have been stored as) and compare it to the password in your database.

$var = MD5($var);

will simply encrypt your variable.

And I perfer logging in using cookies over logging in using sessions.

rapmonkey

Let me put it this way: How can I securely log someone into my site using cookies (or another method if I must)?

DarkDragon

Like I earlier said, I totally pefer cookies over any method of logging in.

Although cookies can be intercepted, if you have everything that is valuable encrypted in the data before you set the cookie, you should be fine.

what I suggest is doing something like this:

$logged = "out";
if ($login == "new") {
mysql_connect($host,$user,$pass);
mysql_select_db($database);
$sql = mysql_query("SELECT * FROM $user_table");
while ($row = mysql_fetch_array($sql)) {
if ($username == $row[user] && $password == MD5($row[pass]) {
$logged = "in";
}
if ($logged == "out") {
echo "Error: Bad username/password combo.";
} else {
$encrypted_password = MD5($password);
setcookie("cookiename","$username:$encrypted_password",time()+3600,"/","domain.com",0);
echo "Welcome $username, you are logged in.";
}
}

}

That code will check in the mysql database (if you are using one) if the field "user" equals the username in the form (input name must be username to assign the variable, and likewise for password) and check if the encrypted version of the password they supplied equals the password in the database (which was stored encrypted).

To check a login, simply get the cookie data and explode it into an array.

$cookie = explode(":",$HTTP_COOKIE_VARS['cookiename']);

In this, the username from the cookie is $cookie[0] and the password is $cookie[1].

Hope you understood this :p

poring

DarkDragon, this is nice, but what happens when the user forgets his/her password? Since the password is md5ed in the db, how am I supposed to sent it back to the user?

Evocate

Originally posted by poring
DarkDragon, this is nice, but what happens when the user forgets his/her password? Since the password is md5ed in the db, how am I supposed to sent it back to the user?

When a user forgets his/her padssword you will have to generate a new one, which replaces the user's one and sends it to user's email.

Weedpacket

If you've got the appropriate libraries installed for the extension, you can use PHP's [man]crypt[/man] function and its cohorts.

adavis

You can also do something like this:

session_start();                                  // Start the login session
$_POST['user'] = addslashes($_POST['user']);      // Add slashes to the username
$_SESSION['user'] = $_POST['user'];               // We've already added slashes
$salt = $_POST['user'];                           // set salt for crypt to username
$_SESSION['pass'] = crypt($_POST['pass'], $salt); // and crypted the password

or, if you like, you can use a combination of md5 and crypt to set an even more hard to decipher password. Either way, decrypting will be almost impossible. To check all you need to do is take your password, crypt it and check that against the password set in your session or cookie. Simple as that! 🙂