patternphpMinor
PHP login cookie authentication
Viewed 0 times
phplogincookieauthentication
Problem
I have the following code to do remember-me style login:
I have this code in my header file. Is this secure enough or will it pose any security risks in the future?
I have this code in my header file. Is this secure enough or will it pose any security risks in the future?
Solution
I don’t like the idea of storing the password hash in a cookie. It is easy to steal and grants unlimited access. The cookie is transmitted with every single HTTP request. I would prefer using an access token with limited lifetime. Anyway most people store passwords in their browser and this is easy to steal as well – so this seems not to be a massive security break.
The bigger problem is that your login only relies on the password – you don’t need to know the corresponding username to login. This makes brute forcing a lot easier. And more important: your login will break, if two users use the same password. Then user2 will (unintentionally) gain access to user1’s account.
PS: As mentioned in comments, don’t loop over every line in your table, use a
The bigger problem is that your login only relies on the password – you don’t need to know the corresponding username to login. This makes brute forcing a lot easier. And more important: your login will break, if two users use the same password. Then user2 will (unintentionally) gain access to user1’s account.
PS: As mentioned in comments, don’t loop over every line in your table, use a
WHERE clause instead. And I don’t understand, what you are trying to achieve with your mysql_num_rows code block…Context
StackExchange Code Review Q#8245, answer score: 5
Revisions (0)
No revisions yet.