TalkPHP - View Single Post

Krik · 02-12-2009, 10:08 PM

Can cookies be used in a shady manner yes. Cookies can be faked and of course the risk is if someone logs in on a public PC who ever gets on that system after them can get into the site or even just copy the cookie for to edit and use on another PC.

Bullet proof login. Yes but I doubt you want to pay for that. There are companies that make multi-form login systems for the web. And outside of the most top end security needs you should be ok without them.

As to making a good remember me system. You will need cookies, with a twist and a bit of data stored on in a temporary database table.

First pass all cookies hashed. Use SHA to hash all cookie data before storing it on the users system. Include in that hash a one time id. I usually use a 6 digit number and using addition, subtraction, multiplication, division, I change that number based on 6 numeric time values and hash that to make an id that will never be the same ever again. I store that hash in the database and the next time they enter the site I retrieve the cookies and check all the hashed data including that id against what was in the database record form the last time they used the site. Of course if it all matches, including an IP address check, I let them in and delete the old cookie and database record and create a new cookies and database record.

Now that doesn't solve the issue of a user logging in and selecting the remember me on a public PC. But if that is an issue you need to do a risk assessment. If that were to happen whats the worst that could happen. If it is just spam on a forum not a big deal if you have good measures in place to deal with that. Or are we talking a more serious risk, like the unauthorized person would have access to data that could harm you personally. Now if that nefarious person gets access to that users personal info that user was the one that was negligent and you cannot be held liable for that as they left their data laying in the open for any other person to see and/or take.

And if there is serious risk (personal harm, data lose, or potential legal liability) you may want to eliminate a remember me system all together.

02-12-2009, 10:08 PM	#2 (permalink)
Krik The Contributor Join Date: Feb 2009 Posts: 65 Thanks: 0	Can cookies be used in a shady manner yes. Cookies can be faked and of course the risk is if someone logs in on a public PC who ever gets on that system after them can get into the site or even just copy the cookie for to edit and use on another PC. Bullet proof login. Yes but I doubt you want to pay for that. There are companies that make multi-form login systems for the web. And outside of the most top end security needs you should be ok without them. As to making a good remember me system. You will need cookies, with a twist and a bit of data stored on in a temporary database table. First pass all cookies hashed. Use SHA to hash all cookie data before storing it on the users system. Include in that hash a one time id. I usually use a 6 digit number and using addition, subtraction, multiplication, division, I change that number based on 6 numeric time values and hash that to make an id that will never be the same ever again. I store that hash in the database and the next time they enter the site I retrieve the cookies and check all the hashed data including that id against what was in the database record form the last time they used the site. Of course if it all matches, including an IP address check, I let them in and delete the old cookie and database record and create a new cookies and database record. Now that doesn't solve the issue of a user logging in and selecting the remember me on a public PC. But if that is an issue you need to do a risk assessment. If that were to happen whats the worst that could happen. If it is just spam on a forum not a big deal if you have good measures in place to deal with that. Or are we talking a more serious risk, like the unauthorized person would have access to data that could harm you personally. Now if that nefarious person gets access to that users personal info that user was the one that was negligent and you cannot be held liable for that as they left their data laying in the open for any other person to see and/or take. And if there is serious risk (personal harm, data lose, or potential legal liability) you may want to eliminate a remember me system all together.