Welcome Guest, Not a member yet? Register   Sign In
Login & Cookie Security
#1

[eluser]georgerobbo[/eluser]
Hello,

I have a few questions about login and cookie security.


Of course you should have all passwords in your database encrypted. However is it possible to intercept the password or any data from a form before it is encrypted by the server?

Secondly when setting a cookie after a user has logged in should you do:

a cookie with a value set to true to say they are logged in

or a cookie containing a username and another containing their encrypted password / or a specific session ID?
#2

[eluser]jedd[/eluser]
[quote author="georgerobbo" date="1256934665"]
Of course you should have all passwords in your database encrypted.
[/quote]

Why?

Quote:However is it possible to intercept the password or any data from a form before it is encrypted by the server?

Yes.

Do you mean 'how', or 'how do I reduce the chance of this happening'?

Quote:Secondly when setting a cookie after a user has logged in should you do:

a cookie with a value set to true to say they are logged in

or a cookie containing a username and another containing their encrypted password / or a specific session ID?

Assuming no complex ACLs are in play - that you simply want to be able to identify, via session data, if a user is logged in or not - then I just use a single session variable of 'username'. I clear that on user logout.
#3

[eluser]Xeoncross[/eluser]
[quote author="georgerobbo" date="1256934665"]Of course you should have all passwords in your database encrypted.[/quote]

I think you mean hashed. Unless you MUST store the username/password (twitter login before OAuth) then you should only have salted and hashed passwords in your DB.
#4

[eluser]bretticus[/eluser]
[quote author="georgerobbo" date="1256934665"]Hello,

I have a few questions about login and cookie security.


Of course you should have all passwords in your database encrypted. However is it possible to intercept the password or any data from a form before it is encrypted by the server?
[/quote]
Yes. this is why SSL was invented. If you can't use it, I suggest using JavaScript to hash the password with random salt before transmitting. Also, store the result in a database so the hash token cannot be replayed.
[quote author="georgerobbo" date="1256934665"]
Secondly when setting a cookie after a user has logged in should you do:

a cookie with a value set to true to say they are logged in

or a cookie containing a username and another containing their encrypted password / or a specific session ID?[/quote]

Just use CI sessions and be sure to turn on session encryption via config.php file.




Theme © iAndrew 2016 - Forum software by © MyBB