Solved

PHP SECURE Login using cookie to validate member

Posted on 2009-03-31
6
465 Views
Last Modified: 2013-12-12
Hi Experts!

I need to develop a secure PHP login using MySQL and cookies to validate a member. What I need to do is ONLY allow a member to login if the cookie on his PC is valid. So if he deletes is cookies he needs to be verified again before login is allowed. I know there is allot of samples using cookies to remember a user, but I need to use cookies to VALIDATE a user/memeber.

Thanks in advance...
0
Comment
Question by:MackieRSA
  • 3
  • 3
6 Comments
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24030548
Not sure if I understand what you mean... normally, to validate a user, you check if the password he enters matches a password you have stored in the database for this member. A cookie can then be used to maintain a "session", so that the user does not need to login for every page. The special PHP array $_SESSION is usually stored in a cookie, and can be used also to remember the user name and other information related to the current session.

You say you don't need the cookie to remember the user, but to VALIDATE the user. What do you mean by this? How would the cookie validate the user?
0
 

Author Comment

by:MackieRSA
ID: 24030856
Sorry for not explaining properly.

I need to develop a secure login that not only validates the user from the username and password stored in the MySQL database, but ALSO identify the user as the user that is allowed to login. In other words, if a user registers the first time, somehow his identity needs to be confirmed.

The real situation is that, if the user username and password is given out or stolen, and another user tries to use his login and password, it will ONLY work from the computer that the REAL users has registered from.

I thought that this could be achieve my storing a UNIQUE computer ID or something...

Does this make sense?

Regards
0
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24031433
It makes sense, but it can not be done. There is no unique computer id. There is no way to confirm a users identity. If the username and password is given out or stolen, you can not distinguish the real user from the "fake" user.

You CAN put a cookie on the computer where the registration was done, but this is not secure: a cookie can be stolen/copied to a different computer, and it would require that the user registers again if he is forced to change to a different computer (for instance after a system crash) or wants to use a different browser, or if he accidentily deletes his cookies.

You can associate a user with a specific IP address, but this approach have similar problems: IP addresses can be spoofed, and the user would have to register again if he for any reason gets a new IP.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:MackieRSA
ID: 24032452
Yes spot on.

Thanks for the feedback I think you solved my issue.

Do you have any references to some examples of where I CAN put a cookie on the computer where the registration was done?

Thanks
0
 
LVL 39

Accepted Solution

by:
Roger Baklund earned 125 total points
ID: 24032843
Just set a cookie with a timeout far into the future (10 years).

setcookie('SecurityToken',md5(SECRET_SALT.$userid),time() + (60*60*24*365*10));

http://php.net/setcookie

When checking the validity of the Cookie, do like this:

if($_COOKIE['SecurityToken']!=md5(SECRET_SALT.$userid))
  die('No access, bad security token');

Define the secret salt like this, with a different set of random characters, obviously:

define('SECRET_SALT','hiIi5f(s8!w+W0?9s_Od3=Qlow#3N3fE4,j');
0
 

Author Closing Comment

by:MackieRSA
ID: 31564904
Thank you for your assistance
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now