Login & Cookie Security - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: Login & Cookie Security (/showthread.php?tid=24091) |
Login & Cookie Security - El Forum - 10-30-2009 [eluser]georgerobbo[/eluser] Hello, I have a few questions about login and cookie security. Of course you should have all passwords in your database encrypted. However is it possible to intercept the password or any data from a form before it is encrypted by the server? Secondly when setting a cookie after a user has logged in should you do: a cookie with a value set to true to say they are logged in or a cookie containing a username and another containing their encrypted password / or a specific session ID? Login & Cookie Security - El Forum - 10-30-2009 [eluser]jedd[/eluser] [quote author="georgerobbo" date="1256934665"] Of course you should have all passwords in your database encrypted. [/quote] Why? Quote:However is it possible to intercept the password or any data from a form before it is encrypted by the server? Yes. Do you mean 'how', or 'how do I reduce the chance of this happening'? Quote:Secondly when setting a cookie after a user has logged in should you do: Assuming no complex ACLs are in play - that you simply want to be able to identify, via session data, if a user is logged in or not - then I just use a single session variable of 'username'. I clear that on user logout. Login & Cookie Security - El Forum - 10-30-2009 [eluser]Xeoncross[/eluser] [quote author="georgerobbo" date="1256934665"]Of course you should have all passwords in your database encrypted.[/quote] I think you mean hashed. Unless you MUST store the username/password (twitter login before OAuth) then you should only have salted and hashed passwords in your DB. Login & Cookie Security - El Forum - 10-30-2009 [eluser]bretticus[/eluser] [quote author="georgerobbo" date="1256934665"]Hello, I have a few questions about login and cookie security. Of course you should have all passwords in your database encrypted. However is it possible to intercept the password or any data from a form before it is encrypted by the server? [/quote] Yes. this is why SSL was invented. If you can't use it, I suggest using JavaScript to hash the password with random salt before transmitting. Also, store the result in a database so the hash token cannot be replayed. [quote author="georgerobbo" date="1256934665"] Secondly when setting a cookie after a user has logged in should you do: a cookie with a value set to true to say they are logged in or a cookie containing a username and another containing their encrypted password / or a specific session ID?[/quote] Just use CI sessions and be sure to turn on session encryption via config.php file. |