Cookies authentication

Dr_Freak2

I have a curious questions as follows: 🙂

I am constructing my website with members registration.Once a member has registered,he is given his username and password to login.When he logs in,I will set a cookie as his/her username.And each page will check to see if this cookie exists.If not,some member page(Account setting..)cannot be accessed.However,I think it is very dangerous because someone can pretend he is one of our member with the name and set a cookie on his computer.Is it possible to do that?If so,do you guys have any other algorithm to enhance the security of log in?

Many thanks. 😉

scoppc

I used to store 3 values in my cookies. I am not really sure on whether no one can bypass or not. One thing for sure, user can change their cookies locally.

I store username, level and a checkpoint. Checkpoint here means an encrypted code that is created by the combination of the username, level and some other unknown keywords.
To make it clearer, take a look at the example below:

$username="scoppc";
$level=3;
$checkpoint="some" . $username . "xxx" . $level . "keyword1234";
$checkpoint=MD5($checkpoint);

In each and every protected page, I will have a script to check whether all of the array are set and NOT empty as well as checking whether the cookies is altered locally by matching the checkpoint.

adamgeorge

How about instead of just storing the username in the cookie, you store the username and their password?

Eg:


$cookieData = base64_encode("$sMemberName;$sMemberPassword;$dtMemberLastLogin;" . $_SERVER["REMOTE_ADDR"]);

if(!setcookie("cSession", $cookieData, time()+1500, "/", "")){
	trigger_error("Session not set", E_USER_ERROR);
}

here I have set a cookie with the username and password seperated by a semi-colon, and encoded that so nobody can immediatly read it.

Then what you can do is instead of just checking for the existance of the cookie, check for the existance and authenticate the username and password in the cookie against the database.

Eg:

$cSession = base64_decode($_COOKIE["cSession"]);
$cSession = explode(";", $cSession);

$sNameValue = $cSession[0];
$sPasswordValue = $cSession[1];

//do check against database here...

So if the cookie exists but the username and password are incorrect then it could be somebody spoofing your site with a fake cookie.

As well you could store the IP address of the user in the cookie and check that against the user... although you need to be carefull with that as many ISP's use dynamic IP addresses which change anyway.

check out previous discussions for other ideas on authenticating users on your site.

cya man,
-Adam 🙂

Dr_Freak2

First off,thank you for the quick replies from adamgeorge and scoppc .
You both have given me a much more better than "username" cookie authentication.But adamgeorge,how about MD5 instead of base64_encode?I get used to use MD5.😃 .Moreover,I have an idea.If I set a cookie with username and encrypted password along with session id stored in the database.If he/she visits a secret page,I check his/her username,password and session id in the database.Is it feasible?Is it "quite" secure?

Yeah,by the way,I want to ask that if it is possible to copy the cookie from other computer to my computer.😕If so,the authentication which just relies on username and password cookie authentication is useless????

scoppc

First of all, encoding something means ... that something can be decoded, for sure. Encrypting something, doesnt mean it can be decrypted. For MD5 ... no way! Unless, you do brute force. However, for a very long string (like the one I showed you) which contains uppercase, lowercase and numbers combination, those people will give up (well, most of em .... :p )

Storing password in your cookie has no use, at least for me. I stored username and level coz I am going to use it later in my script.

Checking to database in each and every protected pages is good. However, it is also very expensive. If we could do it with cookies, why spend more computer processing on database?

Another suggestion will be to use session which I am going to implement in my next project. Effective to solve cookie-disabled problem. 🙂

laserlight

I want to ask that if it is possible to copy the cookie from other computer to my computer.

Cookies can be intercepted, spoofed etc.
Still, unless you need a high level of security, they should be ok.

scoppc's method involves generating a hash from the given information, and storing it as a cookie.
If someone obtains the username, level and that hash, he/she will have access.
Conversely, if someone obtains the username, level and knows the additional strings concatenated, then he/she will be able to generate the hash and use it.

the security lies in that in order to access, one must know the hash (since obtaining username and level is relatively trivial).
However, to get this hash, one must either get the cookie, or know the strings (e.g. the keyword) used while generating it.
even if someone does obtain a hash from a user's cookie, he/she is unlikely to obtain the exact method of generating more hashes of that kind, since finding a hash collision is unlikely.

checking the database for matching username/password is also acceptable, and you would do that at least once (i.e. for login)
still, doing that for each access is, as scoppc noted, a little expensive for the limited security anyway.

if you really need security, you'll have to use strong encryption, perhaps with technologies such as SSL or your own system with say the mcrypt library.

Dr_Freak2

From laserlight:

checking the database for matching username/password is also acceptable, and you would do that at least once (i.e. for login)

Hey,thanks for your reply.I figured out how to avoid checking each webpages with database authentication.What if I set a session after he/she has successfully logged in?This session will pass on page to page and no database authentication is required.It reduces the workload of my old server.😃 Obviously,this session will be invalid after user clicked log out button.

How about that, laserlight?Is it quite secure?😉

brooky

Hello,

Does anyone know how to adapt this to work with different subdomains?