1

Currently after successful login I add md5($username) md5($password) in cookies and then every time user browser the site on every page a functions validate these cookies to database.

Its working nicely I am happy with it. But is there any thing better i can do?

sujal
  • 1,058
  • 3
  • 18
  • 29
danny
  • 465
  • 3
  • 8
  • 18
  • Yes. Add a salt and stop using md5. – JJJ Apr 08 '12 at 14:11
  • why do you md5($username) , why don't you want to use `$_SESSIONS` ??? – Baba Apr 08 '12 at 14:12
  • @Baba I dont want to add it to $_SESSIONS because I dont want to add load to server and I am having lots of problem with session in Codeigniter. – danny Apr 08 '12 at 14:17
  • @Juhana I am adding salt too but If i would not do md5 it wont be safe? I heard md5 is best hashing? – danny Apr 08 '12 at 14:18
  • i think, it is not safe now. Because some ones can read the user cookies and can crack their accounts. Lastly, i think, md5 is not best. Sha1 is more secure from md5. – hkulekci Apr 08 '12 at 14:20
  • Swap to salted SHA512... MD5 is cryptographically broken. Even the Wikipedia article mentions this. – Andy Apr 08 '12 at 14:26
  • MD5 is good for *hashing*, but not good for hashing *passwords*. – JJJ Apr 08 '12 at 14:50

2 Answers2

1

It good that you are using md5 but PHP also has other option that you can exploit for better security

There is a post here : Login cookies security where i explained in details securing PHP Cookies

You can also see : http://www.phpclasses.org/browse/file/25025.html .. a simple class all you need to do is replace the encryption with a strong one such has RSA or DES

If you nee more information you can just add a comment

Thanks :)

Community
  • 1
  • 1
Baba
  • 94,024
  • 28
  • 166
  • 217
0

When an user logins successfully, set a value in $_SESSIONS[]. Then in other pages, just check whether this value is being set in the SESSION array. If set, user is logged in. Otherwise, redirect to the Login page.

If you want to add facility to auto login when user visit your site next time, set cookies. So, when a page is loaded, check if the value in SESSION is set. Otherwise, check the cookies. If the cookies are set with a login signature, directly set the SESSION value. Otherwise, redirect to the Login page.

I think, it is better to use a SHA flavor for hashing than the MD5. If possible, try using SHA-512.

Akhilesh B Chandran
  • 6,523
  • 7
  • 28
  • 55