I have a method where i check the username and password(hash+salt) is correct. After

Question

0

Asked: May 26, 20262026-05-26T15:42:28+00:00 2026-05-26T15:42:28+00:00

I have a method where i check the username and password(hash+salt) is correct. After

0

I have a method where i check the username and password(hash+salt) is correct. After that, and if the user have acess i do:

 if(isset($remember) && $remember == '1') {
        setcookie('email', $email,  time()+60*60*24*100);
    }
    else {
        setcookie('email', $email, time()+3600);
    }

My question is about security issues. the code above is insecure ? It is needed something like a signature ?

for example:

$user_email = $email;
$hash = sha1(rand(0,500).microtime());
$signature = sha1($hash . $user_email); 
$cookie = base64_encode($signature . "-" . $hash . "-" . $user_email);
setcookie('authentication', $cookie);

What do you think ?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T15:42:29+00:00

Anecdote time: Back around 2002 I was looking at a packet dump from my school’s network and told them that they needed to fix their grades, attendance, student information, everything-under-the-sun system. The way they had it set up was such that after a user authenticated, the system would set a cookie with just the user name and an end-of-session expiry. I fired up a browser, picked a username (first initial, last name), and set that as a cookie. I had access.

What they should have done was set a random 128 number and kept track of that in the server (number, corresponding user, timeout value).

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a method where i check the username and password(hash+salt) is correct. After

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply