Lance

I'm coding a blog for my site, that will be multi-user. And as I was pondering on using cookies to save the login information, I realized someone can falsify the HTTP headers. So that leads me to the question...

Is there a secure method of using cookies to maintain login? Any help would be great.

__________________

kurifu

In short the answer is an astounding no.... well maybe it is not astounding, but you get the point.

The problem here is that cookie data is VERY easily intercepted, and since it is stored on the client end, it is easy to modify, falsify, and so forth. Of course there are a few things you could use to get around this.

First thing you should consider is storing the data in the user's session. Of course you will need to take measures to prevent session fixation if you want to get really secure, but this is relatively easy, well easier to do... just watch the user's IP address.

If you insist on using cookie there are a few ways you can maintain data integrity. One commonly use method is to calculate a hash of the data in the cookie and store that hash in the cookie as well (which can be modified by someone who knows what they are doing, and figures out how to compute the hash). Additionaly you can store the hash in the session data, this is much more difficult for the user to modify. They would only be able to flasify information if they did a session fixation attack.

If you wanted to get real secure and still use cookies (ironic eh?) you could generate a PGP or similar keypair and encrypt and sign the data going into the cookie to yourself. When receiving the data back you decrypt and verify the data. If you only sign the data you can even throw away the private key (which is likely more secure, so long as you do not mind the client being able to see what data was signed). This also bypasses your worries on session fixation, it simply will not happen. Just append the user's ip into the data you sign and place in the cookie, this will further prevent falsification.

__________________
Clifford Matthew Roche <geek@cliffordroche.com>
Web Hosting: http://www.crd-hosting.com
Consulting: http://www.crdev-consulting.com

Ade

You are a god.

__________________
Don't wound what you can't kill

Berto

to keep my sites secure i use sesid which i store both in a session variable and in the database and compare those values each time a user goes to a page, md5'd the password, so inherriently its hard to hack the password, (can be database intensive) never thought about using ip address, as lots of people could be on the same address :/ hmm but you coulld do it in teh same way as the sesid, oh and also pass sesid variables around within the links.

__________________
"Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. THAT'S relativity."

- Albert Einstein

Lance

Well, I was considering using either md5()'ed password cookies or sessions. Too bad my webhost is having problems and is now out of service--my site AND email server are down. I've resorted to using Gmail now. :/ I guess coding my blog is out of the question.

Thanks for your help anyways. I'll keep that in mind and Google for some more details about sessions.

/me returns to sulking over his lost server...

__________________

kurifu

Well if you are looking for a replacement hosting service, here is a good start:

http://www.crd-hosting.com

__________________
Clifford Matthew Roche <geek@cliffordroche.com>
Web Hosting: http://www.crd-hosting.com
Consulting: http://www.crdev-consulting.com

Berto

http://www.icdsoft.com

never had a problem and they have a 1 hour customer supprt which actually works even when you are not a customer

__________________
"Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. THAT'S relativity."

- Albert Einstein

Lance

Well, see... I had proper hosting. And it was within my price range: FREE. Since I knew the admin personally for the past 7 years, he offered me free hosting.

About 10GB space, unlimited SQL, 2TB bandwidth (good enough for my site)... for free.

That's why I chose to use his hosting. But now that's GONE, and a poor college student like me cannot afford any real hosting. And I know that was a shameless plug for CDR since I see it in your signature... I assume your the owner or an employee. But yea, hosting doesn't come cheap, and I cannot afford any hosting. Hell, I can't even afford broadband!

But thanks for your help. I'm probably just going to do a small hostinh job from my own server at home once I get a nice dedicated line. It'll be slow, cheap, and limited by my own bandwidth usage... but hey! I'll have full control and won't pay a dime!

__________________

BlazingWolf

If you can get the mycrpt library installed on your host you can just encrypt the data you store in the cookie, and only someone with a heck of a lot of time on there hands will try to break 64-bit or 128-bit encrytion.

If you decide to do it that way I'll post up an example of how to use it.I would do it know but I don't know where the file is and don't want to waste my time.

__________________
_______________________________
BlazingWolf

tempest

If you want absolute security, MySQL logins.

__________________