Even though I am new to programming, I want to try do things as securely as possible as I learn to do basic things. I am getting to cookie security and came across a really great security website. Some of it is over my head though such as preventing timing leaks. The first part seems simple enough which is to generate a unique token when users check the “remember me” checkbox.
function generateToken($length = 20)
I don’t want to post the entire article here unless that is okay with everyone (please let me know if I can) otherwise here is a link to the article.
They basically say, “Even if you're using a cryptographically secure random number generator, but your cookie looks like rememberme=WBWgm2oMFxsiGRG
RjZtU0Mn and you're storing these tokens in a database table that looks like this:
CREATE TABLE `auth_tokens` ( `id` integer(11) not null UNSIGNED AUTO_INCREMENT, `token` char(33), `userid` integer(11) not null UNSIGNED, `expires` integer(11), -- or datetime PRIMARY KEY (`id`) );
(And a look-up query might look something like this...)
SELECT * FROM auth_tokens WHERE token = 'WBWgm2oMFxsiGRGQNJ6n8gtN3gOuQ2wjN8ZRjZtU0Mn';
Watch out, an esoteric and nontrivial attack still exists."
Then it goes on about timing leaks.
If anyone would be prepared to take the time to explain this in plain English I would be really grateful. I really want to implement this but want to know what I am doing and why I am doing it.