dcsimg
www.webdeveloper.com
Results 1 to 10 of 10

Thread: Are These Persistent Cookie Ideas Safe And Interesting ?

  1. #1
    Join Date
    Oct 2016
    Posts
    152

    Question Are These Persistent Cookie Ideas Safe And Interesting ?

    Php Masters!

    Every php persistent cookie tutorial I come across always save the user's password onto the user's hdd. To make things worst. Save it on the hdd without encrypting it.
    Now, I thought it would be best if the cookie got named under the user's computer mach address and the mach address got saved in the db.
    Then, when the user loads the login page, the cookie can check it's cookie name against the db and if there is a match then auto log the user into his/her account.
    But, now I read, it is not possible to acquire the user's mach address unless uservon same lan of my webserver.

    Q1a. So, what else can act as a substitute for the mach address ? What else can php grab from the user's computer which it can use as a reference against the Username to identify that it is the same user ?
    IPs change. No good using that.

    Q1b. How-about the user's computer name ? Can it grab that from the user's computer so it can use that as the mach substitute or use that as the cookie name ?

    Q1c. Or maybe I just get the script to name the cookie in this format:

    username-ip

    And make that cookie available as long as the user has not got his/her ip changed.
    That way, when the user loads the login page whilst the ip hasn't changed, the cookie can check it's cookie name (username-ip) against the db and if there is a match then auto log the user into his/her account. What do you think ?
    Can you guys show me how to do this by editing my code ?
    I have been googling all night and reading whatever I find on the subject. But, I am still stuck and need to see some code samples to clear the confusion.

    <?php
    session_start();
    if(!empty($_POST["login"])) {
    $conn = mysqli_connect("localhost", "root", "", "blog_samples");
    $sql = "Select * from members where member_name = '" .
    $_POST["member_name"] . "' and member_password = '" .
    md5($_POST["member_password"]) . "'";
    $result = mysqli_query($conn,$sql);
    $user = mysqli_fetch_array($result);
    if($user) {
    $_SESSION["member_id"] = $user["member_id"];

    if(!empty($_POST["remember"])) {
    setcookie ("member_login",$_POST["member_name"],time()+ (10
    * 365 * 24 * 60 * 60));
    setcookie
    ("member_password",$_POST["member_password"],time()+ (10 * 365 * 24 * 60 * 60));
    } else {
    if(isset($_COOKIE["member_login"])) {
    setcookie ("member_login","");
    }
    if(isset($_COOKIE["member_password"])) {
    setcookie ("member_password","");
    }
    }
    } else {
    $message = "Invalid Login";
    }
    }
    ?>
    <style>
    #frmLogin {
    padding: 20px 60px;
    background: #B6E0FF;
    color: #555;
    display: inline-block;
    border-radius: 4px;
    }
    .field-group {
    margin-top:15px;
    }
    .input-field {
    padding: 8px;
    width: 200px;
    border: #A3C3E7 1px solid;
    border-radius: 4px;
    }
    .form-submit-button {
    background: #65C370;
    border: 0;
    padding: 8px 20px;
    border-radius: 4px;
    color: #FFF;
    text-transform: uppercase;
    }
    .member-dashboard {
    padding: 40px;
    background: #D2EDD5;
    color: #555;
    border-radius: 4px;
    display: inline-block;
    }
    .member-dashboard a {
    color: #09F;
    text-decoration:none;
    }
    .error-message {
    text-align:center;
    color:#FF0000;
    }
    </style>

    <?php if(empty($_SESSION["member_id"])) { ?>
    <form action="" method="post" id="frmLogin">
    <div class="error-message"><?php if(isset($message)) { echo $message; } ?>
    </div>
    <div class="field-group">
    <div><label for="login">Username</label></div>
    <div><input name="member_name" type="text" value="<?php
    if(isset($_COOKIE["member_login"])) { echo $_COOKIE["member_login"]; } ?>"
    class="input-field">
    </div>
    <div class="field-group">
    <div><label for="password">Password</label></div>
    <div><input name="member_password" type="password" value="<?php
    if(isset($_COOKIE["member_password"])) { echo $_COOKIE["member_password"]; }
    ?>" class="input-field">
    </div>
    <div class="field-group">
    <div><input type="checkbox" name="remember" id="remember" <?php
    if(isset($_COOKIE["member_login"])) { ?> checked <?php } ?> />
    <label for="remember-me">Remember me</label>
    </div>
    <div class="field-group">
    <div><input type="submit" name="login" value="Login" class="form-
    submit-button"></span></div>
    </div>
    </form>
    <?php } else { ?>
    <div class="member-dashboard">You have Successfully logged in!. <a
    href="logout.php">Logout</a></div>
    <?php } ?>

    Q1d. What do you think about this unique idea ? Let me know if the idea is flawed or not.
    During registration, the system would ask the user to upload any img.
    During persistent cookie checking (meaning, when the user has loaded the login.php or home.php), the user would be shown a list of imgs to select. If he/she selects the right one they uploaded during registration then the system (cookie) would auto log them in.
    Alternatively, the user can be shown a question and a few answer options in a checkbox or dynamic drop down ui that list the correct answer aswell as the incorrect answers. If the user selects the correct answer from the answering options then the user is auto logged in. Clicking the mouse is simpler than typing the username & password. And so, this little id check won't bother the user that much. Would it bother you, as a user ?

    Alternatively, the user can be shown a list of imgs where an img can be of his/her family member (eg, brother, uncle) and a question that asks "what is this person top you ?" and show a few answer options in a checkbox such as:
    1. Brother;
    2. Uncle;
    3. Friend;

    etc. If the user selects the right answer then he/she is auto logged in. Else not.
    If you like any of the ideas mentioned in Q1d, then how-about editing my code and showing us newbies a sample code on how to achieve the one you liked ?

    Thanks!

  2. #2
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    5,216
    a) when posting code, please use Forum BB code tags as illustrated in my signature
    b) cookies are dead, old technology and even persistent cookies are not that persistent, use localStorage object instead and resort to cookies if HTML5 is not supported in that browser.
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  3. #3
    Join Date
    Jul 2013
    Location
    Voorheesville NY USA
    Posts
    1,827
    Personally I still use cookies. Don't even know what 'local storage' is.

    BUT - I would never, ever store a password in a cookie. There is only place for a password and that is in the element that the user types it into and in the script that then processes the POST data coming from that element's form data. Once the script has it and uses it to query the user data table there should be no further reference ANYWHERE to that password value. Use a token of some kind in your session array or in a cookie to indicate that the user has been authenticated but never use the pswd.
    JG
    PS - If you're posting here you should be using:

    error_reporting(E_ALL);
    ini_set('display_errors', '1');


    at the top of ALL php code while you develop it!

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    22,150
    Yep, there is zero reason to store the password anywhere other than the server-side data store. Once the user successfully logs in, you can create a session for them, where you might want to store their ID and user name for easy access -- and that stays on the server, the browser just gets a cookie with a session ID -- but do not store the password even in the server-side session data. If PHP sessions are not right for you for some reason, there's JSON Web Tokens, which are a hot topic with all the cool web developers, but . . . \_(ツ)_/
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  5. #5
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    5,216
    In response to a previous comment...

    Local Storage Object is a storage item like a very large cookie store that can take 5 MB of data per domain.

    Cookies only allow 4kB of storage.

    Cookies can be deleted, expired, removed, expired on setting and other methods of deleting cookies by the users own security policy.

    the benefit of localStorage is that the data will exist until modified or deleted.

    So writing a routine for cookie storage that uses localStorage if it is available over setting a cookie and setting a cookie as a fall back, your able to future proof yourself, I expect at some point cookies will become obsolete like allot of old JavaScript and HTML.
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  6. #6
    Join Date
    Oct 2017
    Posts
    9
    Quote Originally Posted by \\.\ View Post
    In response to a previous comment...

    Local Storage Object is a storage item like a very large cookie store that can take 5 MB of data per domain.

    Cookies only allow 4kB of storage.

    Cookies can be deleted, expired, removed, expired on setting and other methods of deleting cookies by the users own security policy.

    the benefit of localStorage is that the data will exist until modified or deleted.

    So writing a routine for cookie storage that uses localStorage if it is available over setting a cookie and setting a cookie as a fall back, your able to future proof yourself, I expect at some point cookies will become obsolete like allot of old JavaScript and HTML.
    Mmm. I am not quite sure I understand. So, LocalStorage is just a big cookie ? If not, then where in the user's hdd it gets saved ?

  7. #7
    Join Date
    Oct 2017
    Posts
    9
    Quote Originally Posted by ginerjm View Post
    Personally I still use cookies. Don't even know what 'local storage' is.

    BUT - I would never, ever store a password in a cookie. There is only place for a password and that is in the element that the user types it into and in the script that then processes the POST data coming from that element's form data. Once the script has it and uses it to query the user data table there should be no further reference ANYWHERE to that password value. Use a token of some kind in your session array or in a cookie to indicate that the user has been authenticated but never use the pswd.
    What if the token gets nicked by a malware from your hdd ? Then, the culprit would log in to your account from his computer without needing to type in your password. Right ?

  8. #8
    Join Date
    Apr 2017
    Posts
    54
    FYI forum, site-developer is uniqueideaman with yet another duplicate account.

  9. #9
    Join Date
    Oct 2017
    Posts
    9
    Quote Originally Posted by benanamen View Post
    FYI forum, site-developer is uniqueideaman with yet another duplicate account.
    Read my reply to you here:
    http://www.webdeveloper.com/forum/sh...-Fails-To-Load

  10. #10
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    5,216
    Quote Originally Posted by site-developer View Post
    Mmm. I am not quite sure I understand. So, LocalStorage is just a big cookie ? If not, then where in the user's hdd it gets saved ?
    Yes, a Big Fat Personal Cookie for your domain.

    As for anything that requires some level of security, that information is on a need to know basis and you don't need to know anything other than it works.
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles