PDA

View Full Version : Security problems using cookies to store login+password

martinjsmith
12-08-2002, 02:11 PM
Hi,

I am using cookies on my site to store users logins and passwords and then at the top of every page on my site I have an IF statement which checks to see if the login/password combination is in my MYSQL database. If it is then the page is displayed, othewise an login error message is shown. This all works perfectly most of the time but I have found that some of my users get the error message on screen even when they enter their details correctly. This error is fixed when they reduce the "Internet Security" in their Internet Options panel. Is there a way I can make it so they do not have to do this as it is very annoying.


THe code I use to set the cookie is below:

setcookie("loginCookie", $login);
setcookie("passwordCookie", $password);


and at the top of every page I use:

if (validateUser($loginCookie, $passwordCookie) == "okstudent")
{
//display page code
}
else
{
//display error message
}

The validateUser() function returns "okstudent" if the current login and password cookies are found in the MYSQL database.

Any comments welcome...
wap3
12-08-2002, 02:20 PM
Well I am no expert here so take this suggestion as it comes.
The thing with cookies is that they may not always be set. The user may have their browser set-up to not accept cookies.

Although I can't comment anymore on if there is something wrong with you script. I can say have you thought about using sessions. This does also have drawbacks, e.g. when th browser is closed the session details will be lost. But with cookies it is possible to store them on the users computer for a period of time. This might be something you could look into.

Hope it helps ?:D
Kiwi
12-08-2002, 07:23 PM
A more traditional approach is to use user/pwd to create a session. This session will expire, but can be stored in a cookie.

There will still be problems with people not setting cookies, but this isn't a security risk.

Storing the username and password in a cookie is a significant security risk, because the cookie is plain text. If any of your users, at any stage accesses your site from a computer they share iwth any other person then you have a security hole. If this risk is not critical, then one would have to ask why have any security at all?