Is storing md5 password in a cookie unsafe?

[eluser]Kraig[/eluser]
So I have a regular session set and when it expires the user is logged out. However, if the user clicked the "Remember Me" box then I want to regenerate a session from the cookies I create. Now on certain pages I check for login using

Code:

$is_logged_in = $this->loggedin->loggedin();

My loggedin library class checks for the session first, and if it's true then I will return true. Now if the user has cookies and the session has expired I use the cookies to create a new session. For some reason I don't think this is the most secure thing even though the data is hashed with md5. Is there a better approach to this??

Here's what happens when a user is logged in:

Code:

if($q) // if the user's credentials validated...
   {
    if($this->input->post('rememberMe') && $this->input->post('rememberMe') == '1')
    {
     $data = array(
      'id' => $userID,
      'username' => $username,
      'password' => $password,
      'is_logged_in' => true
     );
    
     $this->session->set_userdata($data);
    
     $cookie = array(
         'name'   => 'userID',
         'value'  => $userID,
         'expire' => '1184400'
     );

     $this->input->set_cookie($cookie);
    
     $cookie = array(
         'name'   => 'username',
         'value'  => $username,
         'expire' => '1184400'
     );

     $this->input->set_cookie($cookie);
    
     $cookie = array(
         'name'   => 'password',
         'value'  => md5($password),
         'expire' => '1184400'
     );

     $this->input->set_cookie($cookie);
    
     $cookie = array(
         'name'   => 'is_logged_in',
         'value'  => 'true',
         'expire' => '1184400'
     );

     $this->input->set_cookie($cookie);
    }
    else
    {
     $data = array(
      'id' => $userID,
      'username' => $username,
      'password' => $password,
      'is_logged_in' => true
     );
    
     $this->session->set_userdata($data);
    }
    redirect($this->input->post('returnurl'));
    exit();
   }
else {
   $this->index();
   $err[] = 'Username and or password are incorrect.';
}

LoggedIn class: (cookie section)

Code:

elseif ($CI->input->cookie('username', TRUE) && $CI->input->cookie('password', TRUE))
  {
    $username = $CI->input->cookie('username', TRUE);
    $password = $CI->input->cookie('password', TRUE);
    
    $q = $CI->membership_model->validate(); // validates username and password
    
    if($q)
    {
     // Get user ID for new session
     $userID = $CI->membership_model->getUserID($username, $password);
    
     // If user is still logged in update cookie
     $cookie = array(
         'name'   => 'username',
         'value'  => $username,
         'expire' => '1184400'
     );

     $CI->input->set_cookie($cookie);
    
     $cookie = array(
         'name'   => 'password',
         'value'  => $password,
         'expire' => '1184400'
     );

     $CI->input->set_cookie($cookie);
    
     $cookie = array(
         'name'   => 'is_logged_in',
         'value'  => 'true',
         'expire' => '1184400'
     );

     $CI->input->set_cookie($cookie);
    
     // Need to reastablish session
     $data = array(
      'id' => $userID,
      'username' => $username,
      'password' => $password,
      'is_logged_in' => true
     );
     $CI->session->sess_destroy(); // Destroy old session
     $CI->session->set_userdata($data);
    
    }
    
    return true;    
  }

[eluser]Aken[/eluser]
Never store a password anywhere except the database (and you should use a much better hashing algorithm than MD5, which is not secure). The user ID cookie itself should be more than enough.

[eluser]Kraig[/eluser]
[quote author="Aken" date="1355953706"]Never store a password anywhere except the database (and you should use a much better hashing algorithm than MD5, which is not secure). The user ID cookie itself should be more than enough.[/quote]

So you would create a session table in the database and store the user id, password, and username there....then if the session expired and you needed to reverify the user's login by "cookies", you would use the cookie userID (would you encrypt this) to query the session table in the DB? What type of encryption are you thinking of? I thought md5 was one of the safer encryptions...

[eluser]CroNiX[/eluser]
http://www.stottmeister.com/blog/2009/04...passwords/

I wouldn't use md5 for pw storage, especially if you don't use at least 2 salts. One contained in the file system and another in the database. And I would never store it in a cookie. Use the session for that.

[eluser]Kraig[/eluser]
What would you store in the cookie? That way when you access it you can query the DB and get the results..

[eluser]CroNiX[/eluser]
Look at using CI's db sessions. The only thing that gets stored in the cookie (that anyone using that computer can read), is the session id and NO user data. The data is stored in the database.

The only thing you should really use the password for is when the user types it to log in on the login form, and then you indicate in their session that they are logged in and retrieve their details and store them in the session. Transmitting it around from that point forward, once validated, just opens a lot of unnecessary potential security holes. Then on the next page load, the session class will retrieve the session ID from the cookie and load their stored session data from the session table based on the id. The protected controllers (or base controller) should then check to see if the user is logged in via their session data before allowing access to anything.

[eluser]Kraig[/eluser]
So instead of using the cookie I would essentially be using the session, but storing it into the database and giving it a longer life if the user selected "Remember Me."

Thanks for your help!!

[eluser]InsiteFX[/eluser]
For a Remember Me cookie you just store a hash code in the cookie and also in the
database user's record for comparing later thats it.

[eluser]Kraig[/eluser]
[quote author="InsiteFX" date="1355974733"]For a Remember Me cookie you just store a hash code in the cookie and also in the
database user's record for comparing later thats it.
[/quote]

Wouldn't that be problematic because even though it may never happen when searching the user's database table for that hash code you may stumble upon two? Also would it be a completely separate cookie than the session, or are you talking about appending this new hash code to the current session?

[eluser]InsiteFX[/eluser]
No because of the way I hash the code.

Code:

// ------------------------------------------------------------------------

/**
* gen_hash()
*
* Hashes the password and CI 32-bit encryption key
* using SHA-512. I place this in my user_model.
*
* You can also pass in the password field to
* this method to generate the encryption key then return the value.
*
* NOTE: The Database password field etc; needs to be varchar(128)
* Can also be used for generating hash's for other values.
* You can also pass a second parameter to this method if needed.
*
* @access public
* @param string - $str_1 - default value
* @param string - $str_2 - optional value
* @retrun string - the 128 char encrypted string
*/
if ( ! function_exists('gen_hash'))
{
function gen_hash($str_1, $str_2 = '')
{
  $CI =& get_instance();

  return hash('SHA512', $str_1 . $str_2 . $CI->config->item('encryption_key'));
}
}

As you can see you can pass two different values to it, which I usally pass a unique generated ID.

This is a function helper so place the code in a function helper file.