Solved

PHP SECURE Login using cookie to validate member

Posted on 2009-03-31
6
471 Views
Last Modified: 2013-12-12
Hi Experts!

I need to develop a secure PHP login using MySQL and cookies to validate a member. What I need to do is ONLY allow a member to login if the cookie on his PC is valid. So if he deletes is cookies he needs to be verified again before login is allowed. I know there is allot of samples using cookies to remember a user, but I need to use cookies to VALIDATE a user/memeber.

Thanks in advance...
0
Comment
Question by:MackieRSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24030548
Not sure if I understand what you mean... normally, to validate a user, you check if the password he enters matches a password you have stored in the database for this member. A cookie can then be used to maintain a "session", so that the user does not need to login for every page. The special PHP array $_SESSION is usually stored in a cookie, and can be used also to remember the user name and other information related to the current session.

You say you don't need the cookie to remember the user, but to VALIDATE the user. What do you mean by this? How would the cookie validate the user?
0
 

Author Comment

by:MackieRSA
ID: 24030856
Sorry for not explaining properly.

I need to develop a secure login that not only validates the user from the username and password stored in the MySQL database, but ALSO identify the user as the user that is allowed to login. In other words, if a user registers the first time, somehow his identity needs to be confirmed.

The real situation is that, if the user username and password is given out or stolen, and another user tries to use his login and password, it will ONLY work from the computer that the REAL users has registered from.

I thought that this could be achieve my storing a UNIQUE computer ID or something...

Does this make sense?

Regards
0
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24031433
It makes sense, but it can not be done. There is no unique computer id. There is no way to confirm a users identity. If the username and password is given out or stolen, you can not distinguish the real user from the "fake" user.

You CAN put a cookie on the computer where the registration was done, but this is not secure: a cookie can be stolen/copied to a different computer, and it would require that the user registers again if he is forced to change to a different computer (for instance after a system crash) or wants to use a different browser, or if he accidentily deletes his cookies.

You can associate a user with a specific IP address, but this approach have similar problems: IP addresses can be spoofed, and the user would have to register again if he for any reason gets a new IP.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:MackieRSA
ID: 24032452
Yes spot on.

Thanks for the feedback I think you solved my issue.

Do you have any references to some examples of where I CAN put a cookie on the computer where the registration was done?

Thanks
0
 
LVL 39

Accepted Solution

by:
Roger Baklund earned 125 total points
ID: 24032843
Just set a cookie with a timeout far into the future (10 years).

setcookie('SecurityToken',md5(SECRET_SALT.$userid),time() + (60*60*24*365*10));

http://php.net/setcookie

When checking the validity of the Cookie, do like this:

if($_COOKIE['SecurityToken']!=md5(SECRET_SALT.$userid))
  die('No access, bad security token');

Define the secret salt like this, with a different set of random characters, obviously:

define('SECRET_SALT','hiIi5f(s8!w+W0?9s_Od3=Qlow#3N3fE4,j');
0
 

Author Closing Comment

by:MackieRSA
ID: 31564904
Thank you for your assistance
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question