Home/ Questions/Q 9140047
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T09:27:54+00:00

I’d like to use the cookie session adapter from Lithium. After the user logs

  • 0

I’d like to use the “cookie” session adapter from Lithium. After the user logs in I’ll create a cookie with his hashed password. If this cookie is present and the hashed password matches the one from the db, I’ll log him in automatically.

Is this safe?

ok, I’m not talking about having the actual hash in the cookie, but an encrypted hash. I don’t want anyone to find out how that hash looks 🙂
Lithium has “strategies” that encrypt any data that you store in sessions with a “secret”, so the hash would be encrypted. Basically I’m asking if Lithium’s encryption is good enough. Has anyone worked with Lithium?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It depends on your hashed algorithm. Use salt to make your hash more secure:
    Safe Password Hashing and

    Remember, the hash of the password is effectively the same as their
    password. Somebody who stole the hash would have the same access to
    the user’s account as if they had stolen their password. Therefore it
    is not advisable to store a hash of the user’s password in a cookie
    unless there was some other information not stored with the cookie
    that is used to authenticate (i.e. 2-factor authentication). Gabe in this Answer.

    And also can checkout these links:
    Is it advisable to store a hashed password in a cookie?
    Secure hash and salt for PHP passwords

    • 0