if (strtolower($userDetail["username"]) == strtolower($username) &&
$userDetail["password"] == hash("sha256", $password . $userDetail["salt"])) {
if ($remember == "true") { // Remember Me
setcookie("logged", "$username", time()+60*60*24*365); // 1 Year
} else {
setcookie("logged", "$username", time()+43200); // 12 Hours
}
header("Location: " . getenv("HTTP_REFERER"));
die();
} else {
echo "Invalid login.";
}
I’m trying to make the best possible login I possibly can. The major problem I’m seeing here is cookies. I’m no expert when it comes to this, so here are my main questions:
- What should I be setting my cookie as so someone can not easily duplicate the cookie?
- Should I be including the salt into the cookie?
- I’ve heard about tokens in addition to salts and having them change all the time. How is this supposed to work?
And I’m wondering if this call for my cookie above is even valid? What’s the right way to be doing this?
$loginCheck = $_COOKIE["logged"];
if (isset($loginCheck)) {
// logged in
}
I like to leave the username intact, and have another cookie set as
sha1(salt . user . pass)For instance:
And then compare using the first cookie, against the database and the known hash.
The way you’re doing it at the moment, anyone can copy a cookie and log in with anyone without even knowing their passwords. Just set
And you’re good to go. Once you have this second cookie to compare against, you’re much safer.
As for the third question, yes, you can even shorten it to:
But as I stated, you should move to the more secure format I’ve shown.
See this Absolutely EPIC Tutorial on net.tutsplus.com for more on the subject.