Solved

PHP SECURE Login using cookie to validate member

Posted on 2009-03-31
6
468 Views
Last Modified: 2013-12-12
Hi Experts!

I need to develop a secure PHP login using MySQL and cookies to validate a member. What I need to do is ONLY allow a member to login if the cookie on his PC is valid. So if he deletes is cookies he needs to be verified again before login is allowed. I know there is allot of samples using cookies to remember a user, but I need to use cookies to VALIDATE a user/memeber.

Thanks in advance...
0
Comment
Question by:MackieRSA
  • 3
  • 3
6 Comments
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24030548
Not sure if I understand what you mean... normally, to validate a user, you check if the password he enters matches a password you have stored in the database for this member. A cookie can then be used to maintain a "session", so that the user does not need to login for every page. The special PHP array $_SESSION is usually stored in a cookie, and can be used also to remember the user name and other information related to the current session.

You say you don't need the cookie to remember the user, but to VALIDATE the user. What do you mean by this? How would the cookie validate the user?
0
 

Author Comment

by:MackieRSA
ID: 24030856
Sorry for not explaining properly.

I need to develop a secure login that not only validates the user from the username and password stored in the MySQL database, but ALSO identify the user as the user that is allowed to login. In other words, if a user registers the first time, somehow his identity needs to be confirmed.

The real situation is that, if the user username and password is given out or stolen, and another user tries to use his login and password, it will ONLY work from the computer that the REAL users has registered from.

I thought that this could be achieve my storing a UNIQUE computer ID or something...

Does this make sense?

Regards
0
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24031433
It makes sense, but it can not be done. There is no unique computer id. There is no way to confirm a users identity. If the username and password is given out or stolen, you can not distinguish the real user from the "fake" user.

You CAN put a cookie on the computer where the registration was done, but this is not secure: a cookie can be stolen/copied to a different computer, and it would require that the user registers again if he is forced to change to a different computer (for instance after a system crash) or wants to use a different browser, or if he accidentily deletes his cookies.

You can associate a user with a specific IP address, but this approach have similar problems: IP addresses can be spoofed, and the user would have to register again if he for any reason gets a new IP.
0
ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 

Author Comment

by:MackieRSA
ID: 24032452
Yes spot on.

Thanks for the feedback I think you solved my issue.

Do you have any references to some examples of where I CAN put a cookie on the computer where the registration was done?

Thanks
0
 
LVL 39

Accepted Solution

by:
Roger Baklund earned 125 total points
ID: 24032843
Just set a cookie with a timeout far into the future (10 years).

setcookie('SecurityToken',md5(SECRET_SALT.$userid),time() + (60*60*24*365*10));

http://php.net/setcookie

When checking the validity of the Cookie, do like this:

if($_COOKIE['SecurityToken']!=md5(SECRET_SALT.$userid))
  die('No access, bad security token');

Define the secret salt like this, with a different set of random characters, obviously:

define('SECRET_SALT','hiIi5f(s8!w+W0?9s_Od3=Qlow#3N3fE4,j');
0
 

Author Closing Comment

by:MackieRSA
ID: 31564904
Thank you for your assistance
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
This article discusses how to create an extensible mechanism for linked drop downs.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question