[Resolved] Login Security

insectis

Hey all,

I've got a quick question. For user login's I've currently been setting a cookie on their machine that holds their username and password and then deleting it upon logout.

Any time the user wants to access a "member" page, my script checks for the cookie (ie. the username variable) and lets them in if the cookie is there, otherwise it directs them to the login page.

My question is, is there a more secure way of doing things? Or is this a good way? I'm also curious if this would be easily spoofed by entering a URL with the username/password in it, although I have global variables turned off in php.ini, I'm still curious if there is a way around it.

Any insight on the subject would be greatly appreciated!

insectis

DigitalExpl0it

im thinking sessions, but what your doing is fine, you might want to encrype the cookie, so its not straight text though

insectis

Ah, good call. That would take care of someone spoofing it too, wouldn't it...

Weedpacket

I'm thinking sessions as well; storing the username and password in a cookie means that the username and password get included in every single request the browser makes to the server. Using sessions, the only thing getting passed back and forth is a session ID - and that changes from one session to the next. The username and password are retained on the server.

It may be an idea, though, that to do anything significant (for a given value of "significant" - changing user details, for example; "significant" to a bank would include moving money between different people's accounts) to require the user to re-enter their password - just to confirm that it really is still them and not someone else who's just sat down at the browser.

insectis

That's a great idea to have the user re-enter their password for something "signifigant".

Thanks a lot for all the helpful insight!