Hi, I'm not sure how to make my login system secure. The only thing I can think of is storing both the user's username and password in a cookie. To prevent spoofing, I could check the database to make sure they match up. This idea is bad though, because it would require me doing a database query everytime a cookie is found on each page. I don't need specific code or anything, I just need to know what to do. Thanks.
Actually, it's a bad idea because if the cookies get stolen, the user would be pretty much fucked. Don't store passwords in cookies. Hashed passwords are better, but still not good. If you insist on storing a password in a cookie, make it a hashed one. Preferably salted. Otherwise you could rely on sessions... Either way, you'll have to do that query. I mean, there are ways to prevent it (like making a session and just storing the password in there), but that would also make stuff easier for attackers (once you're logged in - you stay logged in, even if the password gets changed) One query per page is not that bad. If you only have one query you have to make each page, that's actually pretty good.
I just want the best method. I could scrap whatever I currently have. OK, so what specifically should I do? So far, I'm going store the username and password in a session. Then on each page they view, I'll check for the session. If it exists, then I'll check the database to make sure the username and password match. If they do, then that person is "logged in". What should I use cookies for? Also, whats the point of hashing? Wouldn't I have to "de-hash" all of the hashed data before using it?
No, you can't de-hash. You simply hash the original So, if hashed password == cookie, then the user is logged in. Now, let's add a salt in there if hashed, salted password == cookie with the same salt (also retrieved from the database), then the user is logged in You would change the salt everytime the user logs in, so as soon as somebody logs in, the other person logged in on that account will be logged out. If somebody gets their hands on the cookies, they would still have to get past the salt. If you use sessions and don't really reveal the password in cookies, then salting is, of course, not necessary. Sessions use just one cookie, the cookie for the session id, so you would store all the userdata in the session, and simply check if the password and username match up on every page.
I'm going to store the user information in sessions. On every page, I'll check the username and password, stored in the session, to make sure they match. Is there anything else I should do? Should I use cookies for anything? Anything else I should worry about?