How Can I Secure the Cookie?

Question

I use to cookie for Remember Me functionality.

This is how i set the cookie:

$value = $dbusername.'|'.$dbpassword;
setcookie('abc', $value,time()+60*60*24*180, '/');

Retrieve cookie:

$cookie = $_COOKIE['abc'];
$values = explode("|", $cookie);
$username_ck = $values[0]; //ck stands for cookie
$password_ck = $values[1];

What is a good way to secure my cookies (username/password)? The password in my database is stored in plain text. I don't want to to encrypt the password in db.

Answer 1

First you should NEVER EVER store passwords in plain text db!

Second: you should NEVER EVER store passwords in plain text in cookies!

Third: if you use cookies to implement something like a remember me option you don't need to store the password in the cookie, but rather a random token stored in both the db and the cookie which automatically gets invalidated every time the user logs on and also create a new one every time the user logs in.

Also did I already mention to NEVER EVER STORE PASSWORDS IN PLAIN TEXT?

EDIT

Please also checkout: http://jaspan.com/improved_persistent_login_cookie_best_practice

Which describes the best way of using cookies (basically a step-by-step explanation of what I already tried telling you). I say the best way since I haven't found a better way yet :)

Answer 2

I believe you should replace that whole code to be honest and do some research into sessions. The reason I say that is because;

Firstly, your sessions are already secure. What a session does is put 1 cookie with a token on the users computer, and store the rest of the data on the server. So you don't necessarily need to encrypt the password and username, yet you can still have some strength.

Secondly, people across multiple IP's can't copy sessions, as they are checked against a computer name and other simple stuff to ensure authenticity.

Thirdly, sessions are a lot quicker then cookies. Every time a page is loaded, the browser has to send ALL the cookies to the server. This can be quiet a lot of memory. Where as a session only has one cookie.

To store session data, you can do the following:

session_start(); //Has to go at the top of your page! On each page that uses a session.
$_SESSION['USERNAME'] = $dbusername;
$_SESSION['PASSWORD'] = $dbpassword;

//And to retrieve you just call back the parameter.
$username = $_SESSION['USERNAME'];

Checkout the PHP Manual for more information. http://www.php.net/manual/en/session.examples.basic.php

Answer 3

Add in the user table a field called remember_key VARCHAR 32

When the user log-in set this in the user table:

$remember = md5(uniqid(mt_rand(), true));

update query:

"UPDATE user SET remember_key = $remember WHERE id = $id"

When the user re-enter to the page query the cookie in the user table:

"SELECT * from user WHERE remember_key = " . esc($_COOKIE['remember'])

if ($num_rows == 1) $login = true;

Sorry pseudo code and also dont forget to escape strings

I will update the answer

Answer 4

You should NEVER, EVER, EVER, EVER store plaintext passwords in your database. Just google 'plaintext passwords in database' to find out why. You password should be stored as (at least) a SHA1 hash, along with a random salt, in the database.

You can't secure you cookie the way you're doing it. You're leaving yourself open to cross-site request forgery, if not worse. You should also generate a secure random hash to sign the cookie (if not encrypt it) so that its validity can be assured. But nothing password related should ever end up in the cookie; if you need to store private data in the session (which you should avoid anyhow), you should store the session in the DB or memcache.

I'm only trying to be helpful, but this method of session maintenance is beyond insane. Please, please, please reconsider.

Answer 5

You should really encrypt your password. At least use md5 for it, if you want to compare an input by the user with that value from the database just encrypt that input and compare it...

One more thing, you shouldn't store a password in a cookie.

Answer 6

You should never store passwords in a cookie since it display them as plain text. If a hacker catches that cookie and opens it up and find the password, it's only a matter of time before they find the username.

Bad Practice store everything you need in a database and start using $_SESSION[]