Thread: Cookies

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    4
    Rep Power
    0

    Cookies


    I am taking what I have learned my last semester to try and build my own website. I am working on a login for different users and want to know what the best practice would be.

    If I use cookies to check if a user is logged in what data should I store in the cookie after the user signs in to check. I figured I wouldnt want it to be just there user name because anyone could just make that cookie themselve and log in as that user....

    Any ideas woudl be greatley appreciated. I am not storing really any sensitive material on my website so it does not need to be bank secure.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Hi,

    First of all, you should make up your mind if you actually want to offer user registration. Saying that security isn't that important for you sounds like this is going in a wrong direction.

    If you just want to make the page customizable, then you don't need user accounts. Simply store the values in cookies. But if you do want to store personal information like email addresses, password information etc., then security is important.

    Login information is usually stored in sessions. The functions for that are most probably already built-in in your language (whatever it is you are using).

    As I already said, security is in fact very important. So you really should know how everything works before you actually start with the implemention. A particularly critical issue is of course password managment, because there's a lot you can do wrong here. And since users tend to reuse their passwords everywhere, you want to make sure you don't f*** up in securing them.

    Never store passwords in plaintext or as simple hashes. The absolute minimum is to use salted hashes. A better apporach is to use specialized algorithms like PBKDF2 or bcrypt.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    4
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    First of all, you should make up your mind if you actually want to offer user registration. Saying that security isn't that important for you sounds like this is going in a wrong direction.

    If you just want to make the page customizable, then you don't need user accounts. Simply store the values in cookies. But if you do want to store personal information like email addresses, password information etc., then security is important.

    Login information is usually stored in sessions. The functions for that are most probably already built-in in your language (whatever it is you are using).

    As I already said, security is in fact very important. So you really should know how everything works before you actually start with the implemention. A particularly critical issue is of course password managment, because there's a lot you can do wrong here. And since users tend to reuse their passwords everywhere, you want to make sure you don't f*** up in securing them.

    Never store passwords in plaintext or as simple hashes. The absolute minimum is to use salted hashes. A better apporach is to use specialized algorithms like PBKDF2 or bcrypt.
    thanks, I do need a login because I am keeping track of certain data that a user would want to be able to pull up on any computer.

    I will explore sessions in html and perl.

    Thank you!
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Originally Posted by searayman
    thanks, I do need a login because I am keeping track of certain data that a user would want to be able to pull up on any computer.
    This can be done with cookies or sessions without a real login.

    An actual login with password authentication is only necessary if you are storing critical data or user identification is very important (like when users are allowed to submit content).
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    If he wants to track data for the user across multiple computers then a registration system makes more sense than storing it in cookies.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    I disagree. Since he said the data isn't critical and he doesn't want to put much effort in security, I think a registration system is actually a bad idea. It's too complicated and will most likely be insecure, exposing all user data (email addresses, passwords) to the next best script kiddie.

    I'd rather use public user profiles in this case (the data can be saved in a profile and reloaded -- the ID is stored in a cookie or session). Then you don't have to worry about password hashing etc., and every user knows his data isn't protected.

    If, on the other hand, you want to store private data, then of course you should use a registration system.

    So it depends. But what you should never do is to offer a registration system and at the same not really care about security. That's just dangerous and also dishonest with respect to the users.

    I think data should be either public or private, but not "halfway private"
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Dec 2006
    Location
    IL, USA
    Posts
    584
    Rep Power
    21
    1) COOKIES and SESSIONS are not HTML related, they are a client-side thing that you should use a language like PHP to handle.

    With that said, I do a number of things for my cookies/sessions.

    There is a number of ways you can handle this, you can have a field like $_COOKIE['user'] that returns the user's username, or whatever unique identifier you have, this way you can always grab their data per page, and if this is empty you can assume they are not logged on?

    I always have a SESSION part inside of the "users" table in my database that I have md5 / sha1 (hashing encryptions) that store non-personal and critical data and store this into the cookie. this way I can always use that to grab the entire user after - which once "logged in" the normal / common data I grab (username, first_name, access lvl (admin|user|etc.)) can all get stored into my SESSION (not cookie) and then I can grab that all the time.

    it's all a preference on you and how you want to use / manage your system.
  14. #8
  15. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,124
    Rep Power
    4303
    Originally Posted by AvsH
    COOKIES and SESSIONS are not HTML related, they are a client-side thing that you should use a language like PHP to handle.
    Don't you mean "server-side"?
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).

IMN logo majestic logo threadwatch logo seochat tools logo