Clever Geek Handbook

How to store passwords in databases and cookies (PHP / MySQL)

After reading this article and many others, about how not to store passwords in databases and cookies, I am wondering now how I should do this ...

What I have come up with so far (after reading a bit) takes the user's password with clear text, filling it with salt until it fills 512 bits (64 bytes => 64 characters since the page is not -unicode) and then do

$pwhash = hash('sha512', $saltedpw);
for ($i=0; $i<1000; $i++)
      $pwhash = hash('sha512', $pwhash);

I will then store (UserName, HashedPw, Salt) in the database, but what should I do with the cookie (to identify users who want to stay loogend-on after the session ends)?

+2


source to share


3 answers


First, calling hash

1000 times doesn't help anything, once is enough.

To remember the username in the cookie, you have two options:



  • As mentioned, you can create a random token and store it in the database along with the user's information. When a user who does not have a session cookie logs in to the site, you check for the token cookie and search the database. If you find a user with such a token, write it down. You might want to do some additional checks, such as whether the current IP address matches the IP address when you first log in.
  • You can store the user ID in a cookie, but then you need to sign the data with a secret key to make sure the user can't just change it. HMAC- SHA-1 is a good way to do this. The advantage is that you don't need to store any additional data in the database. You only need to verify the signature and search for the user ID. The downside is that you have to make sure the signing code is secure (HMAC-SHA-1 with a longer private key should do this).
+7


source


Only the hashcode is stored in the database store, and the cookie must contain the session ID, which is often referred to SID

. Another table stores all SID

(s userID

) and all of this. But don't forget PHP has a very simple and useful api session, use it better :)



0


source


You don't need to store the user's password in a cookie. You can create a long random string (similar to the sessionid) that you store in the database and in the cookie. You can change this line every time the session expires and the user returns. When a user accesses the site, you can check the value of the database cookie and find out who the user is.

0


source






More articles:


All Articles