I’ve been reading quite a few tutorials on “remember me” login implementation. Many of them store the username and a double hashed password in a cookie. This is so that hackers will neither know the plain text nor the database once-hashed password:
setcookie('user', $username, REMEMBER_TIME);
setcookie('pass', md5(sha1($password . 'salt1') . 'salt2'), REMEMBER_TIME);
Then to auto log the user back in you do a check with the database:
if (isset($_COOKIE['pass'] &&
$_COOKIE['pass'] == md5($databasePassword . 'salt2')) {
$this->user->login();
}
My question is how secure this method is from a hacker simply copy and pasting the cookie file. They don’t know the user’s original plain text password, but the hacker can hijack the account forever.
Someone suggested to me that I also need to store the IP of the user in the database. This way, I can guarantee that the hijacker must be using the same computer. This would cut out a ton of hack scenarios because you generally trust the people you share your computer with.
if ($allTheAboveChecks &&
$_SERVER['REMOTE_ADDR'] == $ipInDatabase) {
$this->user->login();
}
What are your thoughts?
