Is this user secure enough?
I am trying to move away from using md5 () to store and compare passwords. So I want to start using password_hash ().
Now, as I did, I would store the username and md5 of my password in my session or cookie (if they chose "remember me") and then check the database to see if any user exists with that username and the password md5'd. I understand that this is not very secure, so I want to stop it.
I can't do this anymore because password_hash () is always changing, so I can't store the hash in my session and then validate it in the database because I need to use password_verify for the unmanaged password.
So my question is, if I store a hashed "session id" and "token" in the user table when the user logs in successfully and then store that in the session / persons cookie along with the user id to check the database if that is enough ? When I say hashed "session id" and "token", I mean sha256'd or even md5'd hash of random large numbers ...
Example:
User login -> hashed "session id" and "token" is the persistence in the user / session cookies and their row in the database is updated with the hashed "session id" and "token".
User visits site -> code checks if their "session id" and "token" exist in the database based on their browser / cookie shafts. If so, the string found is assumed to represent the current user.
Any understanding would be greatly appreciated.
source to share
What I would do, when a user logs in, generate a unique ID for their login using uinqid () ( http://php.net/uniqid ) and then save it in a new table. Then make sure that this table is checking if the uniqid cookie stored in the table matches.
You will need to make sure the table row is deleted when the user logs back in, but that would cause a problem if the user remembers me across multiple devices, so I set an expiration date in the table for each id, and the login script:
- SELECT * FROM 'UNIQIDS' WHERE $ current_date_and_time> 'EXPIRE' and remove all results
- Check for a cookie. If there is one and it matches uniqid, create a session on the computer, also show the login page
After the user is logged in:
- Make sure the table already has uniqid.
- If there is one saved, if the current date and time expires when it expires, remove the line
- If expired, generate a new one with a new expiration date corresponding to the expiration date of the cookie you are creating. If it hasn't expired yet, count the time between the time and the time it expires and create a cookie containing its value and will expire at the time you calculated.
This is very secure as it would be difficult to spoof this cookie and it never passes the password information of users to the client machine.
For more security, you can md5 uniqid that you are generating, but there is no real need as it does not contain important information.
It's quite difficult, but if you do it step by step it shouldn't be impossible.
Good luck!
source to share
For the best password hashes and their uses and yet just for the below example code ...
$salts= ['cost' => 12];
password_hash("Password", PASSWORD_BCRYPT, $options);
$salts
is an array that combines multiple times when used password_hash()
.
PASSWORD_BCRYPT
is an algorithm that hashes the string with the identifier $ 2y $ and with the blowfish encryption algorithm. This outputs 60 char of the kinky set.
source to share