If passwords are stored in a user database as encrypted strings, using the crypt() function,
should passwords be stored in cookies as the encrypted strings from the database,
or is this a security flaw of some sort?
Passwords are never stored in cookies encrypted or not. That would be a huge security flaw.
Create a unique user ID (32 randomly generated characters or more), store that ID in the cookie with a corresponding entry in a database with which to determine the user's ID and other access privileges.
I find it easier to simply store the session_id in the cookie and then use $_SESSION to store the user's ID, then there's no need to create an entry in the database to match the user (unless you store sessions in the db but that's another subject).
I don't store the password in the session. However, sometimes I choose to store the hash of the password in the session (actually, it's a hash of what is stored in the database so it's a hash of a hash of the password). Then I use this hash on every page request to check if the password the user used to log in with is still valid. In this way if the password is changed - either by the user or directly in the database by an admin - then all sessions of this user are immediately invalidated so it's good for security.
That's a good idea. I hadn't considered the scenario of a password change during active sessions. Although, I am curious why you re-hash the already-encrypted password in the session variable.
You are right, technically the password in the db is already hashed so re-hashing is not necessary. I think I'm a bit too paranoid on security in this case and while a simple md5 or sha1 is very cheap so I do it
Okay, I figured that was probably the case, but I can definitely relate.
Thanks for the advice. =)
This topic is now closed. New replies are no longer allowed.