2

For a project I am working on a company has requested that the password be saved for 90 days so the user will only have to use their username to login if it is not past the 90 days. It's for one of those assignments where a Computer Science department outsources you to an outside company. I have no idea how to go about doing this as it seems horribly insecure. Any pointers on how to possibly do it? My first thought would be to use a cookie to save the password and if there is a valid cookie then just retrieve the password.

todaroa
  • 329
  • 1
  • 4
  • 15
  • What's the problem with using a database? – php_nub_qq Nov 30 '13 at 20:16
  • @php_nub_qq I'm just confused as to how to go about this. I've never really built anything this complex. Our teacher just kind of threw us into it. – todaroa Nov 30 '13 at 20:20
  • It is not that complex if you look at it. You don't even need to use a database, you can use a session with some configuration changes – php_nub_qq Nov 30 '13 at 20:20

2 Answers2

3

Please don't store the PASSWORD in COOKIE.

You can store an other value e.g the [session_id do not use this] last_login_time in the cookie.

raiserle
  • 677
  • 8
  • 31
  • So I could save the passsword in the session and then retrieve it from the cookie using the session ID essentially. – todaroa Nov 30 '13 at 20:20
  • @todaroa no dont assume sessions are save on shared webhosting... read (post off mine) http://stackoverflow.com/questions/18262878/how-to-prevent-php-sessions-being-shared-between-different-apache-vhosts/18263063#18263063 – Raymond Nijland Nov 30 '13 at 20:24
  • +1 just to mension that. Highly unsecure to use cookies to store any relevant security information. – Jorge Campos Nov 30 '13 at 20:25
  • @Jorge Campos sessions can be just be unsecure as cookies but it is harder to bypass/modify session data but not impossible.. – Raymond Nijland Nov 30 '13 at 20:27
  • @RaymondNijland I know that, thats why I suggest in my answer to put on a table data. – Jorge Campos Nov 30 '13 at 20:29
  • My up vote was because I agree with the cookie part, not necessarelly with the session part of the answer. – Jorge Campos Nov 30 '13 at 20:30
  • 1
    @Jorge Campos indeed thats why ive suggested un upvote on your answer (because off the SQL table as it should assuming he doenst create SQL injections...).. – Raymond Nijland Nov 30 '13 at 20:31
  • 1
    btw. the session_id was an example for other data. AND YES! PLEASE DON'T USE THE session_id – raiserle Nov 30 '13 at 20:32
  • @raiserle the PHPSESSID (sessionid) is most likely already in an cookie so "You can store an other value e.g the session_id in the cookie." is pretty redundantly useless but your +1 is for "don't store password in cookie" – Raymond Nijland Nov 30 '13 at 20:35
  • 1
    @Raymond Nijland: thx for +1! And yes - PHPSESSID (or other configured name) are stored in an cookie. My idee was to say: OTHER DATA as the password :(. – raiserle Nov 30 '13 at 20:41
2

You can create a table USER and store the relevant data for the user there. One of the USER fields will be the expiration date. It would be like this:

USER ( 
    id integer,
    fullname varchar(50),
    encpassword varchar(20),
    email varchar(50),
    .... some other fields
    expDate date
);

So when the user log in you will chek on table if the actual date is less or equal the expDate if it is you let then login. That way you could revalidate a user without duplicate the user data, just changing the expDate.

As @raiserle said don't store the PASSWORD in COOKIE as the cookie remains on the client machine it can be easily hacked allowing others to login as a different user.

I put the field encpassword because you should use some encription algorithm to encrypt the user password.

Jorge Campos
  • 22,647
  • 7
  • 56
  • 87