?
Solved

PHP SECURE Login using cookie to validate member

Posted on 2009-03-31
6
Medium Priority
?
476 Views
Last Modified: 2013-12-12
Hi Experts!

I need to develop a secure PHP login using MySQL and cookies to validate a member. What I need to do is ONLY allow a member to login if the cookie on his PC is valid. So if he deletes is cookies he needs to be verified again before login is allowed. I know there is allot of samples using cookies to remember a user, but I need to use cookies to VALIDATE a user/memeber.

Thanks in advance...
0
Comment
Question by:MackieRSA
  • 3
  • 3
6 Comments
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24030548
Not sure if I understand what you mean... normally, to validate a user, you check if the password he enters matches a password you have stored in the database for this member. A cookie can then be used to maintain a "session", so that the user does not need to login for every page. The special PHP array $_SESSION is usually stored in a cookie, and can be used also to remember the user name and other information related to the current session.

You say you don't need the cookie to remember the user, but to VALIDATE the user. What do you mean by this? How would the cookie validate the user?
0
 

Author Comment

by:MackieRSA
ID: 24030856
Sorry for not explaining properly.

I need to develop a secure login that not only validates the user from the username and password stored in the MySQL database, but ALSO identify the user as the user that is allowed to login. In other words, if a user registers the first time, somehow his identity needs to be confirmed.

The real situation is that, if the user username and password is given out or stolen, and another user tries to use his login and password, it will ONLY work from the computer that the REAL users has registered from.

I thought that this could be achieve my storing a UNIQUE computer ID or something...

Does this make sense?

Regards
0
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24031433
It makes sense, but it can not be done. There is no unique computer id. There is no way to confirm a users identity. If the username and password is given out or stolen, you can not distinguish the real user from the "fake" user.

You CAN put a cookie on the computer where the registration was done, but this is not secure: a cookie can be stolen/copied to a different computer, and it would require that the user registers again if he is forced to change to a different computer (for instance after a system crash) or wants to use a different browser, or if he accidentily deletes his cookies.

You can associate a user with a specific IP address, but this approach have similar problems: IP addresses can be spoofed, and the user would have to register again if he for any reason gets a new IP.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:MackieRSA
ID: 24032452
Yes spot on.

Thanks for the feedback I think you solved my issue.

Do you have any references to some examples of where I CAN put a cookie on the computer where the registration was done?

Thanks
0
 
LVL 39

Accepted Solution

by:
Roger Baklund earned 500 total points
ID: 24032843
Just set a cookie with a timeout far into the future (10 years).

setcookie('SecurityToken',md5(SECRET_SALT.$userid),time() + (60*60*24*365*10));

http://php.net/setcookie

When checking the validity of the Cookie, do like this:

if($_COOKIE['SecurityToken']!=md5(SECRET_SALT.$userid))
  die('No access, bad security token');

Define the secret salt like this, with a different set of random characters, obviously:

define('SECRET_SALT','hiIi5f(s8!w+W0?9s_Od3=Qlow#3N3fE4,j');
0
 

Author Closing Comment

by:MackieRSA
ID: 31564904
Thank you for your assistance
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses
Course of the Month15 days, 22 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question