开发者

php, is there a safe way to store password in cookies?

is there a safe way of storing passwords in cookies in php?

or is it not recomen开发者_如何转开发ded?

thanks


This is not recommended...

... even if encrypted. Storing this information on a client machine gives them the opportunity to compare cookies in the hopes of decrypting. Worse they could sniff a cookie from someone else and then masquerade as that user!

What is recommended is having the user login through a secure connection and sending a session cookie in response. The session cookie contains a session id which PHP will automatically map to a session file on the server. You can then store a user id in the session. After a short time, the session should be expired.

Sessions are automatically managed by PHP and you should take advantage of it.

Here's a tutorial on how to use PHP sessions.


The user is able to change his cookies at will. If you want to "trust" data in PHP, you need to store it on your server, and not on the user's machine. Cookies can also be intercepted through XSS attacks and browser bugs (practical but relies on some another security hole), in addition to sniffing it out on the wire (more theoretical but will always be a flaw in this scheme).


Not recommended. Ideally a cookie is just a unique identifier that can be used by the server as an index into a database table (or other structure) which maintains the required data.

It is possible to encode data in the cookie, but I wouldn't be doing it for anything sensitive.

When it comes to passwords, my own opinion is that they shouldn't be stored at all. Only the password hash should be stored.


One could possibly hash a password into a cookie, and check that hash against the hash in the database. That's theoretically safe-ish. (You're hashing, aren't you? With a salt? If someone break into your database and you're not, all your users are doomed.)

Regardless, it's still not recommended. Putting information, even when hashed, out into the open is a bad idea overall, when it's a relatively simple matter to store the data yourself and tie it to a generic session ID that doesn't offer any information about the actual password to anyone who could possibly steal that cookie. $_SESSION makes that wonderfully easy.


you can hash a cookie's data using sha1() or md5() but the best way for it is use session for storage a user's data.


It's not generally recommended, but possible. You could encrypt the cookie's contents with the mcrypt extension.

[Edit Aug 2018] This extension is no longer available.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜