Home/ Questions/Q 378945
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T14:50:38+00:00

Having read this article and many others out there on how to not store

  • 0

Having read this article and many others out there on how to not store passwords in databases and cookies, I’m wondering now how I should do it…

What I’ve come up so far (after reading around a bit) is taking the clear-text user password, padding it with salt till it fills up 512 bits (64 bytes => 64 chars, since the page is non-unicode), and then doing

$pwhash = hash('sha512', $saltedpw);
for ($i=0; $i<1000; $i++)
      $pwhash = hash('sha512', $pwhash);

Then I would store (UserName, HashedPw, Salt) in the database, but what do I do about the cookie (to identify users that want to stay loogend-on after the session has expired)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, calling hash 1000 times does not help anything, once is enough.

    For remembering the user login in cookie you have two options:

    1. As has been said, you can generate a random token and store it in the database along with the user information. When a user with no session cookie enters the site, you check if there is a cookie with the token and do a DB lookup. If you found a user with such a token, log them in. You might want to do some additional checks, like whether the current IP is the same as the IP when they first logged in.
    2. You can store the user ID in the cookie, but then you have to sign the data using a secret key to make sure the user can’t just modify it. HMAC-SHA-1 is a good way to do that. The advantage is that you don’t have to store any additional data in the database. You only have to verify the signature and do a lookup on the user ID. The disadvantage is that you have to make sure the signature code is secure (HMAC-SHA-1 with a longer secret key should do that).
    • 0