So I am designing an application, but I have some questions on cookie security. Right now I do it like this - Cookies saves userid, and sha-1 hash of password While this is secure, I see a flaw. What if the attacker got ahold of the users cookie? I was considering checking for ip address, but thats not an option. Any way I can make it more secure? Thanks.
What are you storing the password for? You can store it in a session, which that hacker can't access that easily. Don't rely on cookie authentication at all. You can make that as an optional feature for your site, to keep the users logged in when they close their browser. But I would not recommend that if the users have any personal or important data stored anywhere, like credit card numbers, etc... What you also could do, is make the user re-enter the password for important tasks. Like changing user info, realizing payments, etc... Here are two more related topics which may be interesting. http://forums.digitalpoint.com/showthread.php?t=365334 http://forums.digitalpoint.com/showthread.php?t=368906
Thanks for the links. No its not for credit card details (I definitely wouldn't use cookies for that). It is for a comment system. I've thought of a good idea now though. The first time the user gets back on the site, it will check their IP against the IP that was recorded for their last successful login. So, if it doesn't match, they will be asked to login again. Granted this is still not 100 % foolproof however it is unlikely the attacker will know the persons IP (it will not be stored in the cookie of course).
If it's just a comment system, and no personal data except the password is stored (or maybe an email address), you could use cookies to keep the user logged in. Chances that someone tries to hack your site a low, in this case. IPs can be dynamic, and can change during the session. Specially after the connection was lost, or the user turns off the modem. Plus, it is possible that 2 users share the same IP, if they're for example on the same network. So IPs are nothing I would really rely on. What exactly are you trying to do? Do you want to keep the user authenticated when he closes the browser and comes back the next day? Or is that for general authentication during the session?
Yep that's it. So do you think my original method is still the best way to go? (userid and sha-1 hash of password in the cookie).
The way I always do is: I have an extra field in the database, which holds a hash value, which is newly generated on each login. The hash value is just a random sting which has noting to do with any encrypted or personal data. This value, and the user ID will be stored in a cookie, if the user choses to keep logged in. (Via checkbox). The user keeps authenticated via the session as long as it doesn't expire. But once it does, and the cookies are set, it will query the database for the user ID/hash combination. If there is a match, it will generate a new hash value, update the database with it, and set a new cookie. And finally restore the session, which keeps the user logged in. That's the most secure way I could think of. Even if someone gets access to the cookies, they would only work as long as the original session doesn't expire, and the original user doesn't move again. Additionally you can store the user agent, and make sure it's the same the next time the user logs in via cookies. And always ask to re-enter the username and password for important tasks.