Reputation: 16055
Select where md5 (User recognition from remember me hash)
I'm building a users system plugin for a framework but the way I've currently set it up does not satisfy me. When the 'remember me' box is checked I create a cookie
setcookie('rmb', md5('salt'.$id), ...);
There are a few things I don't like about this. When I recreate a session from this cookie I do the following
$db->prepare('SELECT id FROM users WHERE md5(CONCAT("salt",id)) = ?')
->execute([$_COOKIE['rmb']])
->fetch();
Which seems alright but if I explain the query this is what I get
Highly inefficient, may run for hours, potentially. Apart from hashing with md5 being extremely insecure this system really doesn't seem reliable. Could you guys give me some pointers on how I can identify a user from a remember-me cookie hash efficiently and securely?
Upvotes: 1
Views: 182
Answers (1)
Reputation: 11403
I think you can just create a challenge that the client should send as a cookie in subsequent requests. When the user logs in:
setcookie('username', put_username_here, ...);
setcookie('challenge', long_random_char_sequence, ...);
// UPDATE users SET challenge = ... WHERE username = ...
When the user connects again something like:
// SELECT ... FROM users WHERE username = $_COOKIE['username'] AND challenge = $_COOKIE['challenge']
This won't compile, there is no input sanitization, etc... It's just the workflow you may try to implement.
If you want to do even better, see this.
Upvotes: 3
Related Questions
- How to use the md5 hash?
- Using MD5() in SELECT Query does not return results
- Query a field wiith md5 version of id
- how to compare my inserted password to md5 hash in php
- MySQL MD5 SELECT
- Query doenot work for md5(id) in where
- Check a field in MySql from a php md5 string
- Query MySql database with md5 passwords
- Checking md5(password) match value stored in mysql
- PHP Mysql select email using MD5 on where clause