473,325 Members | 2,816 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

is it safe to store a cookie user id as a login for my site

hi

i have a php site which allows users to save a cookie on their
computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?

thanks

marc

Feb 16 '07 #1
7 4242
"monomaniac21" wrote
hi
G'day.
i have a php site which allows users to save a cookie on their
computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?
How could a "malicious user" gain access to a cookie stored somewhere in
your your users computer, unless they break into your users house? My
browser regularly asks me if I wish it to "remember" my userid/password
detailss for next time. Often I tell it to do so.

Then again your user may be just silly enough to store your cookie on the
public libraries computer. Their problem then IMHO.
Feb 16 '07 #2
monomaniac21 schrieb:
hi

i have a php site which allows users to save a cookie on their
computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?

thanks

marc
You could store one half of the user's password hash in the cookie. When
he come back, you compare it to the hash in the db. Works for me :-)
Feb 16 '07 #3
>
How could a "malicious user" gain access to a cookie stored somewhere in...
By malicious user i was referring to someone who seeks to gain access
to other people's accounts by first creating an account and storing a
cookie, then editing the cookie so that the website automatically logs
them in as someone else. How can this be prevented?
Feb 16 '07 #4
"monomaniac21" wrote>
>>
How could a "malicious user" gain access to a cookie stored somewhere
in...

By malicious user i was referring to someone who seeks to gain access
to other people's accounts by first creating an account and storing a
cookie, then editing the cookie so that the website automatically logs
them in as someone else. How can this be prevented?
Er, you can't, or, perhaps, you don't need to.

I could, for instance:

a) Create an account and then hack the cookie so as to use some other
persons credentials to log in, after guessing their credentials.

b) Use your standard login form to log in using some other persons
credentials, after guessing their credentials.

Where is the problem?

On the other hand if you store stuff in your cookie that allows it to be
hacked then your design is flawed.
Feb 16 '07 #5
Mike Roetgers wrote:
monomaniac21 schrieb:
>hi

i have a php site which allows users to save a cookie on their
computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?

thanks

marc
You could store one half of the user's password hash in the cookie. When
he come back, you compare it to the hash in the db. Works for me :-)
Or, better yet, hash the password in the database a second time and
store that has in the cookie. When they do the cookie login compare the
cookie they send with the database password (after you've hashed it, of
course).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 16 '07 #6
>i have a php site which allows users to save a cookie on their
>computer which stores their user id details and allows them to auto-
login.

i'm wondering whether this is safe, is it possible for a malicious
user to find that cookie and change its value and therefore auto-login
as someone else? and if so how can this be prevented?

How could a "malicious user" gain access to a cookie stored somewhere in
your your users computer, unless they break into your users house? My
Easy: your user LIVES WITH (or worse, sleeps with AND lives with)
the malicious user. Or his kids invite the malicious user (aka
neighbor kid) in. Not all users are nerds with no friends.
Sometimes warring siblings have to share a computer.

Laptops are easy to steal. Just listen to the news: how often is
a laptop with government classified information or sensitive financial
information on it reported missing? I suspect it's especially easy
to steal laptops at airports. My Palm also contains a web browser
and it's not that hard to lose it.
>browser regularly asks me if I wish it to "remember" my userid/password
detailss for next time. Often I tell it to do so.
>Then again your user may be just silly enough to store your cookie on the
public libraries computer. Their problem then IMHO.
Feb 17 '07 #7
>How could a "malicious user" gain access to a cookie stored somewhere in...

Easily, if they sleep with the user.
>By malicious user i was referring to someone who seeks to gain access
to other people's accounts by first creating an account and storing a
cookie, then editing the cookie so that the website automatically logs
them in as someone else. How can this be prevented?
Any user can trivially set any darn cookie they want to any value
they want on their own computer. The procedure is simple for most
browsers: (a) shut down the browser, (b) edit the file the cookies
are kept in (usually it's a text file and the format is pretty
obvious), and (c) start up the browser. I've heard rumors about a
browser that lets you do it by clicking on "set cookie" and following
the prompts. It's also real easy for PHP to use CURL to pull a copy
of a web page from any other web site with any set of cookies you want.

If you were thinking of setting a cookie containing the user name,
but not the password, assuming the cookie is set that way only if
the password given is correct, your security design is incredibly
stupid (It ranks right up there with the sign on the bank vault,
also advertised on national television, asking people to not steal
from it because it's unlocked and the guard is blind). On the other
hand, if the cookie contains the user name and password in plain
text, you're making it easy for anyone to look at the stored cookie
and replicate it on their own computer.

An approach that might work is to put in the cookie the following pieces:

1. the user name
2. a time stamp
3. a secure cryptographic hash of (a) the username, (b) the time
stamp, and (c) a secret string held by the site.

If a user comes back, validate the cookie:
1. Check the hash. The hash of the username from the cookie,
the time stamp from the cookie, and the secret string
(NOT in the cookie) should match the hash in the cookie.
2. Check the time stamp. If the cookie is too old, it's stale,
so don't let them log in.
3. Check the user name. It had better correspond to a user
that exists.

If the bad guy takes an existing cookie and tries to edit it to refer
to a different user, the hash won't match. If the bad guy steals a copy
of a really old cookie (say, from a traded-in hard disk), it will fail
the time stamp check.

Often, you'd re-write the cookie with a new time stamp every hit, so as
long as they keep clicking, they'll stay logged in.

How long is "too old"? It needs to be long than you expect users to go
between logins. It should be shorter to protect against stolen cookies.

Feb 17 '07 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Shabam | last post by:
I'm developing an application and want to have the "remember me" feature, so that users don't have to log back in again in the next visit. The problem here is, what happens if the user's cookie...
3
by: davidw | last post by:
Hi, I have my webdav code, I am using cookie to verify user, so user login to our website first, like http://site, then they can open link http://site/webfiles and check "open as web folder", in...
3
by: Martin | last post by:
Dear fellow ASP.NET programmer, I stared using forms authentication and temporarily used a <credentials> tag in web.config. After I got it working I realized this wasn't really practical. I...
0
by: Peter Row | last post by:
Hi, I have a legacy VB6 webclass app that has been directly ported to VB.NET. My .NET webclass infrastructure works in more or less the same way but is now specific to my app and not the...
4
by: 23s | last post by:
I had this problem in the past, after a server reformat it went away, and now after another server reformat it's back again - no clue what's doing it. Here's the flow: Website root is public, no...
1
by: hecsan07 | last post by:
I am trying to perform site login using values from a cookie, but for some weird reason the cookie is being destroyed after the browser window is closed. I checked the browser settings for the...
1
by: Jim | last post by:
Hi, I have an Asp.Net 1.1 site which uses basic forms authentication. This has been working fine, since way back in the 1.0 days. Twice in the last 2 months, a client has been unable to log in,...
4
by: romayankin | last post by:
I need to limit the session time for a particular user who is working on my site. I'd also like to extend the session time each time user performs some action (moves from one page to another). I've...
8
by: pim | last post by:
Dear All, What I was wondering is how safe it is to store user_id or username or anything like that in session. I usualy store a bunch of info in a session so I do not need to search the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.