Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the correct and safe/secure way to keep a user logged in? cookies? session? PHP && MYSQL

Later I was asking how to logout correctly a user, now I seeing that using only cookies to keep a user logged in is not secure at all.

Keep the password in a cookie is not a secure method to do it, so my question is, What is the correct way to make a (login/keep the user logged in) on my website?

Currently I store the user ID which is the same the url needs to show X user profile, and the email and password encrypted in MD5.

Setcookie is the only function I use when a success login. I only use sessions to store random numbers to avoid repetid form submissions. hidden fields.

• Can you show me how is the correct and secure way to do it?
• What is your way to do it?

PHP only. Two months in php, all learned from your answers. Thanks

like image 205
Bona Chon Avatar asked May 12 '12 20:05

Bona Chon


People also ask

How do I keep a user logged in PHP?

User logs in with 'keep me logged in' Create session. Create a cookie called SOMETHING containing: md5(salt+username+ip+salt) and a cookie called somethingElse containing id. Store cookie in database.

How do I secure a session cookie?

If a cookie is exchanged via HTTP, then it's vulnerable to MITM attacks and session hijacking. To overcome the issue, we can use HTTPS when issuing the cookie and add the Secure flag to it. This instructs browsers to never send the cookie in plain HTTP requests.

How do you maintain user logged in state?

One way to maintain state is through the use of cookies. Cookies store a set of user specific information, such as a reference identifier for a database record that holds customer information.


1 Answers

First, let me tell you this. Nothing is 100% secure. Nothing is air tight, and nothing is sacred. If motivated enough, an attacker will break every server-side defense you may put (unless you are using HTTPS, which is a different story).

You may use cookies, but cookies are highly exposed and easily modified. Never store private data, or access levels in a cookie. As it is easily stolen/modified by an attacker.

Sessions are not 100% safe either. The session ID, which the server uses to identify the client, is sent by one of 2 ways. a $_GET variable (bad), or a cookie (better, but still pretty bad). Meaning, if you are logged in as the administrator, over an unsecured WiFi, a skilled attacker (and by skilled I mean a pr0 haxx0r that downloaded a simple HTTP sniffer) can easily steal your SESSION ID. And while not getting your password, the server will wrongly identify the attacker as you, and grant him any access you may have/had.

So what to do? Sessions are on most cases safe. Advise your users to not log in under an unsecured network (buses, internet cafes, etc.). If you want to allow your user authorization to persist over time, a cookie is required. I usually use a 2 cookie system if I need that:

userid=12345 hash=password_hash($userid . $hashed_password, PASSWORD_DEFAULT) 

Then I have something to match against, and the user's details weren't revealed.


But like I said, in the end of the day, if you really REALLY wanted to secure your users, in above to everything else written in this answer, get yourself HTTPS.

like image 151
Madara's Ghost Avatar answered Oct 03 '22 15:10

Madara's Ghost