Menu
So this is basically a reassurance that I'm doing the whole registration/login process right as far as hashing/salting goes.
I have a users table with the fields password, salt, token (obviously there are others but this is the most important). Upon registration it generate a random salt, and a random token, and it puts in the password field this:
hash("sha256", $theirpostpassword.$randomgeneratedsalt);
That random generated salt and token are stored in their respective fields in that users row in the table.
So upon login I select the salt ONLY from the users row with the username they specified. I then do a count query of how many rows have their post password concatenated with their specific salt, and then I log them in. Pretty sure I have that part down.
Now I was thinking to validate their login on every page I would have a function ran every page that checks their cookie to see if the format of id-username-token matches the row in the database. Meaning that every login it sets their cookie with those credentials.
Now the only thing I can think of to make it better is change the token every valid login?
Thanks for the insight guys.
319
Hashing is designed to solve the problem of needing to efficiently find or store an item in a collection. For example, if we have a list of 10,000 words of English and we want to check if a given word is in the list, it would be inefficient to successively compare the word with all 10,000 items until we find a match.
Hashing is simply passing some data through a formula that produces a result, called a hash. That hash is usually a string of characters and the hashes generated by a formula are always the same length, regardless of how much data you feed into it. For example, the MD5 formula always produces 32 character-long hashes.
Hashing is the practice of using an algorithm to map data of any size to a fixed length. This is called a hash value (or sometimes hash code or hash sums or even a hash digest if you're feeling fancy). Whereas encryption is a two-way function, hashing is a one-way function.
Hashing is the process of generating a value from a text or a list of numbers using a mathematical function known as a hash function. A Hash Function is a function that converts a given numeric or alphanumeric key to a small practical integer value. The mapped integer value is used as an index in the hash table.
Yes, you should definitely be changing tokens with every login. Otherwise a token stolen once is an account stolen forever. Users expect that logging off secures their session from attack by invalidating their cookies or other data.
Rather than the token being random, you can make it serve as a signature, by generating it from a hash of the user id, session expiry time, and whatever else you want in the cookie, plus a salt (just like the login system). This salt doesn't have to come from the database, but it can. It could be a hardcoded string (sometimes called a "pepper" I think). Remember to treat the cookie as invalid if it's past the expiry time. That's why the token should be a signature, to make sure they didn't spoof that data.
143
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
