PHP SECURE Login using cookie to validate member

Hi Experts!

I need to develop a secure PHP login using MySQL and cookies to validate a member. What I need to do is ONLY allow a member to login if the cookie on his PC is valid. So if he deletes is cookies he needs to be verified again before login is allowed. I know there is allot of samples using cookies to remember a user, but I need to use cookies to VALIDATE a user/memeber.

Thanks in advance...
MackieRSAAsked:
Who is Participating?
 
Roger BaklundConnect With a Mentor Commented:
Just set a cookie with a timeout far into the future (10 years).

setcookie('SecurityToken',md5(SECRET_SALT.$userid),time() + (60*60*24*365*10));

http://php.net/setcookie

When checking the validity of the Cookie, do like this:

if($_COOKIE['SecurityToken']!=md5(SECRET_SALT.$userid))
  die('No access, bad security token');

Define the secret salt like this, with a different set of random characters, obviously:

define('SECRET_SALT','hiIi5f(s8!w+W0?9s_Od3=Qlow#3N3fE4,j');
0
 
Roger BaklundCommented:
Not sure if I understand what you mean... normally, to validate a user, you check if the password he enters matches a password you have stored in the database for this member. A cookie can then be used to maintain a "session", so that the user does not need to login for every page. The special PHP array $_SESSION is usually stored in a cookie, and can be used also to remember the user name and other information related to the current session.

You say you don't need the cookie to remember the user, but to VALIDATE the user. What do you mean by this? How would the cookie validate the user?
0
 
MackieRSAAuthor Commented:
Sorry for not explaining properly.

I need to develop a secure login that not only validates the user from the username and password stored in the MySQL database, but ALSO identify the user as the user that is allowed to login. In other words, if a user registers the first time, somehow his identity needs to be confirmed.

The real situation is that, if the user username and password is given out or stolen, and another user tries to use his login and password, it will ONLY work from the computer that the REAL users has registered from.

I thought that this could be achieve my storing a UNIQUE computer ID or something...

Does this make sense?

Regards
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
Roger BaklundCommented:
It makes sense, but it can not be done. There is no unique computer id. There is no way to confirm a users identity. If the username and password is given out or stolen, you can not distinguish the real user from the "fake" user.

You CAN put a cookie on the computer where the registration was done, but this is not secure: a cookie can be stolen/copied to a different computer, and it would require that the user registers again if he is forced to change to a different computer (for instance after a system crash) or wants to use a different browser, or if he accidentily deletes his cookies.

You can associate a user with a specific IP address, but this approach have similar problems: IP addresses can be spoofed, and the user would have to register again if he for any reason gets a new IP.
0
 
MackieRSAAuthor Commented:
Yes spot on.

Thanks for the feedback I think you solved my issue.

Do you have any references to some examples of where I CAN put a cookie on the computer where the registration was done?

Thanks
0
 
MackieRSAAuthor Commented:
Thank you for your assistance
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.