• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Suitabe tokens for autologin?

#1
I have a function below which creates / inserts the customers autologin information

How ever I am not sure if the tokens and unique_tokens secure enough.

There is no personal information set in the cookie just tokens

Should I improve the tokens what would you suggest for tokens?


PHP Code:
public function create_autologin($customer_id
{
    $size mcrypt_get_iv_size(MCRYPT_CAST_256MCRYPT_MODE_CFB);
    $msg uniqid(rand());
    $key $this->CI->config->item('encryption_key');
    $token $this->CI->encrypt->encode($msg$key);
    $unique_token bin2hex(mcrypt_create_iv($sizeMCRYPT_DEV_RANDOM));

    $data = array(
        'customer_id' => $customer_id,
        'token' => $token,
        'unique_token' => $unique_token,
        'created' => time()
    );

    if ($this->CI->db->insert($this->CI->db->dbprefix 'customer_autologin'$data)) {

        setcookie('remember'"$token:$unique_token"$this->set_the_time_for_cookie_to_expire'/''.localhost'falsetrue);

        $session_data = array(
            'customer_id' => $customer_id,
            'is_logged_in' => true
        
);

        $this->CI->session->set_userdata($session_data);
    }

There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply

#2
This is how I do it there may be better ways not sure.

PHP Code:
    /**
     * guidV4 ()
     * ------------------------------------------------------------------------
     *
     * generates a GUID with 36 characters including hyphens
     *
     * Usage: $tmp = self::guidV4();
     * 
     *                           |-4  |- 8 9 a b
     * Format: XXXXXXXXXXXX-XXXX-xXXX-yXXX-XXXXXXXXXXXX
     *
     * @return string
     */
    
public static function guidV4()
    {
        
// this is for MS Windows Systems.
        
if (function_exists('com_create_guid') === true)
        {
            return 
trim(com_create_guid(), '{}');
        }

        
$data openssl_random_pseudo_bytes(16);

        
$data[6] = chr(ord($data[6]) & 0x0f 0x40); // set version to 0100
        
$data[8] = chr(ord($data[8]) & 0x3f 0x80); // set bits 6-7 to 10

        
return vsprintf('%s%s-%s-%s-%s-%s%s%s'str_split(bin2hex($data), 4));
    }

    
/**
     * generateToken ()
     * --------------------------------------------------------------------
     *
     * Generates an array with selector | validator then it will hash them
     *
     * USAGE: generateToken();
     * 
     * @return  array
     */
    
private function generateToken()
    {
        
/**
         * If you define a namespace, you can prefix it to the GUID
         * Just un-remark the line below and rem the other line.
         */

        //$tmp = Uuid_Namespace."-".self::guid_v4();
        
$tmp  self::guidV4();

        
$tokenData = array(
            
'selector' => $tmp,
            
'token'    => base64_encode(hash('sha256'$tmp)),
        );

        return 
$tokenData;
    } 
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply

#3
In the end, nothing is secure enough to prevent all attacks, if there someone exist.
If you login your user with a "Remember-Token", the token should be completely random (obviously 100% unique), nothing related to the user.
So the possible attacker has to trial and error thousands of random tokens to get access to an account, whats nearly impossible.

But in case the attacker has access to the machine of your user, in any way you want, a Trojan maybe, he can read out the cookie data
and no master-unhackable-super-token can prevent that the attacker is getting into this account.
Reply

#4
(07-27-2016, 03:31 AM)InsiteFX Wrote: This is how I do it there may be better ways not sure.

PHP Code:
    /**
     * guidV4 ()
     * ------------------------------------------------------------------------
     *
     * generates a GUID with 36 characters including hyphens
     *
     * Usage: $tmp = self::guidV4();
     * 
     *                           |-4  |- 8 9 a b
     * Format: XXXXXXXXXXXX-XXXX-xXXX-yXXX-XXXXXXXXXXXX
     *
     * @return string
     */
    
public static function guidV4()
    {
        
// this is for MS Windows Systems.
        
if (function_exists('com_create_guid') === true)
        {
            return 
trim(com_create_guid(), '{}');
        }

        
$data openssl_random_pseudo_bytes(16);

        
$data[6] = chr(ord($data[6]) & 0x0f 0x40); // set version to 0100
        
$data[8] = chr(ord($data[8]) & 0x3f 0x80); // set bits 6-7 to 10

        
return vsprintf('%s%s-%s-%s-%s-%s%s%s'str_split(bin2hex($data), 4));
    }

    
/**
     * generateToken ()
     * --------------------------------------------------------------------
     *
     * Generates an array with selector | validator then it will hash them
     *
     * USAGE: generateToken();
     * 
     * @return  array
     */
    
private function generateToken()
    {
        
/**
         * If you define a namespace, you can prefix it to the GUID
         * Just un-remark the line below and rem the other line.
         */

        //$tmp = Uuid_Namespace."-".self::guid_v4();
        
$tmp  self::guidV4();

        
$tokenData = array(
            
'selector' => $tmp,
            
'token'    => base64_encode(hash('sha256'$tmp)),
        );

        return 
$tokenData;
    } 

Thanks for the code with play around with it see how i go.
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.