0

I'm designing an authentication library and I'm thinking about the design of the cookies. I was hoping you could share some thoughts or recommendations.

Here are a few real world examples:

site: stackoverflow.com
name: usr
content: t=Q7k6OGJUK39E&s=f3RhRndgkeiv

site: vimeo.com
name: uid
content: 1186974%7Cuser1186974%7C1232475869%1C0

site: github.com
name: gh_sess_
content: BAh7CjoQZmluZ2VycHJpbnQiJWZlYzdmNWFhNjJmYjJhNDg6OTJkYWQzMjdmMjRiYWY5Ogl1c2VyaQNqzwI6DGNvbnRleHQiBi86D3Nlc3Npb25faWQiJWE1MjU0MDRiNTk0YmZmMzczMHJhNDkzMGYyHzkyBmJiIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--e9d4def787b537f1bbacdb7d625fc06361fbe46a
Emanuil Rusev
  • 34,563
  • 55
  • 137
  • 201
  • Some answers in this may interest you: http://stackoverflow.com/questions/8237086/good-secure-way-to-remember-a-user-checkbox – Valamas Nov 23 '11 at 22:33
  • I hope you scrambled the cookie data before posting? ;-) But it might be useful if you address more specific concerns, so people can answer more specifically. – CodeCaster Nov 23 '11 at 23:08

1 Answers1

1

The basis is to store at least two informations in the cookie to identify a user:

  • Something telling you who this is (an user id generally)
  • Something telling you this is really this user (a type of challenge against the user id)

Let's build a user hash, for John user id #42. The login of John is "john_demo" Your website will have a secret salt, just a random string preventing to forge the hash.

<?php
$login = "john_demo";
$id = 42;
$salt = "ùoajamen!k);p67!è§çRIUV";
$hash = sha1(sha1("$id:$login:$salt").$salt);
$cookie_value = base64_encode($id.':'.$hash);

The hash is salted two times in a row (two sha1 calls). You can retrieve easily the user infos by base64 decoding the cookie, extracting the id, then checking against the db values (and reconstructing the "official" hash) that your cookie is valid.

Lao
  • 191
  • 3