#1
  1. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,917
    Rep Power
    533

    Hashing "Remember Me" Cookie


    Almost implemented remember me functionality. In regards to hashing the user computer identity/user available data/user unavailable data, is this what you have in mind? Also, http://sunnyis.me/blog/secure-passwords/ voices concerns about exceeding 72 characters to hash. Is this of concern? If so, should $_SERVER['HTTP_USER_AGENT'] be removed since it is so long? Thanks


    PHP Code:
    $t_hasher = new passwordhash(8FALSE);
    $hash =$t_hasher->HashPassword(
      
    'mySalt'
      
    .$_SERVER['HTTP_USER_AGENT']
      .
    $_SERVER['REMOTE_ADDR']
      .
    $_COOKIE['remember_user']
      .
    $user->date_created
    ); 
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    That looks correct, yes. You may want to remove the IP from the hash, since people like me commonly use their laptops at work and home every day, and would have to re-log-in every time.

    The salt you use here should be different than the salt you're using on actual passwords.

    Otherwise, this is correct. This code produces the hash which you would compare against $_COOKIE['remember']. Actually creating the remember me cookie must happen after a user has already logged in. Do not create the remember me cookie using the existing $_COOKIE['remember_user'] value.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,917
    Rep Power
    533
    Thanks Dan,

    I think including the IP is important. Maybe instead of calling the cookie "remember", append the IP to the cookie name "remember323.323.323.232 (might have to remove periods?)

    Also, any thoughts about the 72 limit to strings to hash?
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    1) If you want to keep the IP as part of the criteria, just put it in the hash. Just realize that means I'll have to log into your site every day.

    2) Remove the 72-character limit. The article you linked to was talking about denial-of-service attacks from posting extremely large passwords (which isn't a concern for you). You can max it out at a larger number if you're worried about DoS attacks, 1024 should be a good limit. I don't know where this author got 72 from.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,917
    Rep Power
    533
    I certainly do not wish you need to log on to my site each day!

    I don't think you would need to. Your laptop would have two cookies on it, one for home and one for work. The cookie to be used would be the one who's name includes your remote address. No?
  10. #6
  11. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    But if you make a new cookie for every IP, IP stops being a criteria for logging in. Though I guess if the IP is part of the cookie name AND the IP is part of the hash, that would allow it. I've never seen that.

    You also need to be aware that every cookie is passed back and forth with every request, and there's a maximum number of cookies for a reqest (both in cookie count and in size). If I have 12 IPs in a week, that would give me 12 cookies on top of the session cookie, remember_user cookie, and whatever else you're using.

    Remember to clear these cookies when they log out or if an auto-login fails.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,917
    Rep Power
    533
    I didn't know about the cookie limit, but suppose it makes sense.

    I could make a cookie array which consists of hash for each IP along with the username. Problem with this approach would be allowing the browser to get rid of old cookies. I currently put an expiration date of 30 days. I haven't researched it, but I expect that the expiration date is extended every time it is sent to the server. With the array, the cookie for a given IP wouldn't expire until the master cookie expired. Obviously, this would also increase the cookie size. Probably best not to go down this route.
  14. #8
  15. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    The expiration date is only extended when you call setcookie(). If you don't re-set the cookie, you'll be auto-logged-out. DevShed re-sets the cookie every time I start a new session. Facebook used to (back when I used it) only log you in for 2 weeks.

    You can't store an array in a cookie unless you serialize it, which is a bad idea.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  16. #9
  17. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    If you're concerned about the length of the user agent, hash it separately first using something simple like md5 or sha1. This will bring it down to 32 or 40 bytes. md5 and sha1 are so fast that it would be virtually impossible for them to facilitate a DOS attack.

    'mySalt' I'm assuming is a secret value stored server-side that is never sent to the client, right?
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,917
    Rep Power
    533
    'mySalt' I'm assuming is a secret value stored server-side that is never sent to the client, right?
    Yes, that was my thoughts. I am a little hazy about public versus private salts. They only make sense to me to think of them as private, but I understand this might not be the case.
  20. #11
  21. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    Salts must be private, otherwise there's no point to them.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.

IMN logo majestic logo threadwatch logo seochat tools logo