Suitabe tokens for autologin? - Printable Version

Suitabe tokens for autologin? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Suitabe tokens for autologin? (/showthread.php?tid=65808)

Suitabe tokens for autologin? - wolfgang1983 - 07-27-2016

I have a function below which creates / inserts the customers autologin information

How ever I am not sure if the tokens and unique_tokens secure enough.

There is no personal information set in the cookie just tokens

Should I improve the tokens what would you suggest for tokens?

PHP Code:
public function create_autologin($customer_id) 
{
    $size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CFB);
    $msg = uniqid(rand());
    $key = $this->CI->config->item('encryption_key');
    $token = $this->CI->encrypt->encode($msg, $key);
    $unique_token = bin2hex(mcrypt_create_iv($size, MCRYPT_DEV_RANDOM));

    $data = array(
        'customer_id' => $customer_id,
        'token' => $token,
        'unique_token' => $unique_token,
        'created' => time()
    );

    if ($this->CI->db->insert($this->CI->db->dbprefix . 'customer_autologin', $data)) {

        setcookie('remember', "$token:$unique_token", $this->set_the_time_for_cookie_to_expire, '/', '.localhost', false, true);

        $session_data = array(
            'customer_id' => $customer_id,
            'is_logged_in' => true
        );

        $this->CI->session->set_userdata($session_data);
    }
} 

RE: Suitabe tokens for autologin? - InsiteFX - 07-27-2016

This is how I do it there may be better ways not sure.

PHP Code:
    /**
     * guidV4 ()
     * ------------------------------------------------------------------------
     *
     * generates a GUID with 36 characters including hyphens
     *
     * Usage: $tmp = self::guidV4();
     * 
     *                           |-4  |- 8 9 a b
     * Format: XXXXXXXXXXXX-XXXX-xXXX-yXXX-XXXXXXXXXXXX
     *
     * @return string
     */
    public static function guidV4()
    {
        // this is for MS Windows Systems.
        if (function_exists('com_create_guid') === true)
        {
            return trim(com_create_guid(), '{}');
        }

        $data = openssl_random_pseudo_bytes(16);

        $data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0100
        $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10

        return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
    }

    /**
     * generateToken ()
     * --------------------------------------------------------------------
     *
     * Generates an array with selector | validator then it will hash them
     *
     * USAGE: generateToken();
     * 
     * @return  array
     */
    private function generateToken()
    {
        /**
         * If you define a namespace, you can prefix it to the GUID
         * Just un-remark the line below and rem the other line.
         */

        //$tmp = Uuid_Namespace."-".self::guid_v4();
        $tmp  = self::guidV4();

        $tokenData = array(
            'selector' => $tmp,
            'token'    => base64_encode(hash('sha256', $tmp)),
        );

        return $tokenData;
    } 

RE: Suitabe tokens for autologin? - CallHimX - 07-27-2016

In the end, nothing is secure enough to prevent all attacks, if there someone exist.
If you login your user with a "Remember-Token", the token should be completely random (obviously 100% unique), nothing related to the user.
So the possible attacker has to trial and error thousands of random tokens to get access to an account, whats nearly impossible.

But in case the attacker has access to the machine of your user, in any way you want, a Trojan maybe, he can read out the cookie data
and no master-unhackable-super-token can prevent that the attacker is getting into this account.

RE: Suitabe tokens for autologin? - wolfgang1983 - 07-27-2016

(07-27-2016, 03:31 AM)InsiteFX Wrote: This is how I do it there may be better ways not sure.

PHP Code:
/** * guidV4 () * ------------------------------------------------------------------------ * * generates a GUID with 36 characters including hyphens * * Usage: $tmp = self::guidV4(); * * |-4 |- 8 9 a b * Format: XXXXXXXXXXXX-XXXX-xXXX-yXXX-XXXXXXXXXXXX * * @return string */ public static function guidV4() { // this is for MS Windows Systems. if (function_exists('com_create_guid') === true) { return trim(com_create_guid(), '{}'); } $data = openssl_random_pseudo_bytes(16); $data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0100 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10 return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4)); } /** * generateToken () * -------------------------------------------------------------------- * * Generates an array with selector | validator then it will hash them * * USAGE: generateToken(); * * @return array */ private function generateToken() { /** * If you define a namespace, you can prefix it to the GUID * Just un-remark the line below and rem the other line. */ //$tmp = Uuid_Namespace."-".self::guid_v4(); $tmp = self::guidV4(); $tokenData = array( 'selector' => $tmp, 'token' => base64_encode(hash('sha256', $tmp)), ); return $tokenData; }

Thanks for the code with play around with it see how i go.