Saving User login info in a cookie

I think this can be of some assistance for encoding and decoding

hope it helps,
good luck

Hi.

I've done the same thing you'r doing a couple of times. What I did was, I saved the user's ID in the cookie, along with a SHA1 hash of the username and the password combined. The password is of course a SHA1 hash before hand so this makes a nice messy string that people won't be decoding any time soon.

That way I can simply have my database return a hash from the user with the given ID and try to match it.

Hashing does of course take time, but were talking about perhaps a millisecond at the most so I'm not excactly worried :)

Edit
Tested it on a 350mhz linux server, each run of the php sha1() function takes about 0,000073 seconds :)

I think this can be of some assistance for encoding and decoding

hope it helps,
good luck

Well that is a good idea and that is something which gmail followed or still follows, but it doesnt protects from a hacker attempt cause that is something which can be easy decoded, a simple algorithm of our own may be a cipher would take more time to break than this one.. but still a good idea..

let me know if you know something to do more with base64 encoding, i must mention it is very popular :)
thanks a lot mate !!

Hi.

I've done the same thing you'r doing a couple of times. What I did was, I saved the user's ID in the cookie, along with a SHA1 hash of the username and the password combined. The password is of course a SHA1 hash before hand so this makes a nice messy string that people won't be decoding any time soon.

That way I can simply have my database return a hash from the user with the given ID and try to match it.

Hashing does of course take time, but were talking about perhaps a millisecond at the most so I'm not excactly worried :)

Edit
Tested it on a 350mhz linux server, each run of the php sha1() function takes about 0,000073 seconds :)

but this must vary with the number of records, the more he records, heavier is the process and hence more are he resources, anyways will give it a try cause still my website gonna be at initial stage and when the number of users increases, i m sure i will come across something better till then :)

thanks a bunch

'Remember me' capabilities are never secure, but the MOST secure way that I've thought of to do it is to give them a randomly generated id that you store in the cookie. Each time that they are re-logged in and begin a new session, you use that generated id (as well as their username) to verify the user, then generate a new one for them. This way, if their cookies do get stolen, then don't run the risk of their password being given (even if it is hashed, it is still an unnecessary risk) and they don't really risk their random ID being taken, as the next time they login, that ID would become invalid anyway.

'Remember me' capabilities are never secure, but the MOST secure way that I've thought of to do it is to give them a randomly generated id that you store in the cookie. Each time that they are re-logged in and begin a new session, you use that generated id (as well as their username) to verify the user, then generate a new one for them. This way, if their cookies do get stolen, then don't run the risk of their password being given (even if it is hashed, it is still an unnecessary risk) and they don't really risk their random ID being taken, as the next time they login, that ID would become invalid anyway.

i agree i got this info last night from http://php.net
[php]
<?php

$Seperator = '--';
$uniqueID = 'Ju?hG&F0yh9?=/6*GVfd-d8u6f86hp';
$Data = 'Ahmet '.md5('123456789');

setcookie('VerifyUser', $Data.$Seperator.md5($Data.$uniqueID));

if ($_COOKIE) {
$Cut = explode($Seperator, $_COOKIE['VerifyUser']);
if (md5($Cut[0].$uniqueID) === $Cut[1]) {
$_COOKIE['VerifyUser'] = $Cut[0];
} else {
die('Cookie data is invalid!!!');
}
}

echo $_COOKIE['VerifyUser'];

?>[/php]

if i follow what u say then that means i gotta store that random id into my database along with the login credentials ?

is it so ? or make a single unique as shown in above code

recommend me please

Or a simple encoding using base64 can be this way.. atleast this will take some time to decode, will make it more complex .
[php]
<?php
$str="sachin";
$sp="--";
$str1= base64_encode(base64_encode($str).$sp.base64_encod e($str));


$str_a=explode("--",base64_decode($str1));
$username= base64_decode($str_a[0]);
?>[/php]

need suggestions guys.. Which technique is robust and efficient :)

thanks a bunch to everyone :)

but this must vary with the number of records, the more he records, heavier is the process and hence more are he resources, anyways will give it a try cause still my website gonna be at initial stage and when the number of users increases, i m sure i will come across something better till then :)

thanks a bunch

It doesn't matter how many records exist using this method, as I store the users ID as well as the SHA1 mess I created, I only need to fetch a single SHA1 hash for the user that has the userID in the cookie.

It's always a risk to store user info in cookies, but hashing something twice and throwing in another string the second time, thats pretty darn hard to break.
Especially if you'r thinking about usign base64 encoding, which a simple php function can decode.

Also, if you don't like storing the userID in the cokkie, you can always do what Volectricity suggested and create a disposable one randomly.

thanks a lot guys, with all you i am able to do these stuff :)

thanks a lot .

hashing something twice

Double hashing doesn't increase security. There are articles all over the internet in regards to it. Just FYI.