Hi there everyone,
I'm picking bits and pieces from a persistent login article I found on the web. One aspect of the article was that the cookie stored on the computer shouldn't have userid without some form of obfuscation. What it suggested(and what I used for my code) is:
$identifier = sha1($salt . sha1($userid . $salt));
$token = sha1(uniqid(mt_rand(), true));
setcookie('auth', "$identifier:$token", $time, '/', '.domain.com' , false);
$query="SELECT * FROM user_sessions WHERE identifier='$identifier'";
$result=mysql_query($query) or die (mysql_error());
$numr=mysql_num_rows($result);
if($numr==1){
mysql_query("UPDATE user_sessions SET token = '$token', expiry = date_add(NOW(), INTERVAL $cookie_expiry DAY)") or die ("Cannot update session table.<br><br>" . mysql_error());
}else{
$sql = "INSERT INTO user_sessions (identifier, token, expiry) VALUES ('$identifier', '$token', date_add(NOW(), INTERVAL $cookie_expiry DAY))";//Insert the testimonial into the the DB
$query = mysql_query($sql) or die("Cannot query the database.<br><br>" . mysql_error());
}
to set the cookie and enter the session information into the database.
Which is cool.
However, now I need to validate the cookie and match $identifier to a userid.
To be exact, where I would normally need:
$query="SELECT * FROM users WHERE userid='$identifier'";
I now need to somehow get the script to understand that I need the userid buried in: "sha1($salt . sha1($userid . $salt));". I tried:
$query="SELECT * FROM users WHERE sha1($salt . sha1(userid . $salt))='$identifier'";
but, well, I don't have to tell you how that turned out 🙂
Could anyone help me out of this corner that I've painted myself into?
Thanks for your time!
