php, is there a safe way to store password in cook

2019-08-27 18:31发布

问题:

is there a safe way of storing passwords in cookies in php?

or is it not recomended?

thanks

回答1:

This is not recommended...

... even if encrypted. Storing this information on a client machine gives them the opportunity to compare cookies in the hopes of decrypting. Worse they could sniff a cookie from someone else and then masquerade as that user!

What is recommended is having the user login through a secure connection and sending a session cookie in response. The session cookie contains a session id which PHP will automatically map to a session file on the server. You can then store a user id in the session. After a short time, the session should be expired.

Sessions are automatically managed by PHP and you should take advantage of it.

Here's a tutorial on how to use PHP sessions.



回答2:

The user is able to change his cookies at will. If you want to "trust" data in PHP, you need to store it on your server, and not on the user's machine. Cookies can also be intercepted through XSS attacks and browser bugs (practical but relies on some another security hole), in addition to sniffing it out on the wire (more theoretical but will always be a flaw in this scheme).



回答3:

Not recommended. Ideally a cookie is just a unique identifier that can be used by the server as an index into a database table (or other structure) which maintains the required data.

It is possible to encode data in the cookie, but I wouldn't be doing it for anything sensitive.

When it comes to passwords, my own opinion is that they shouldn't be stored at all. Only the password hash should be stored.



回答4:

One could possibly hash a password into a cookie, and check that hash against the hash in the database. That's theoretically safe-ish. (You're hashing, aren't you? With a salt? If someone break into your database and you're not, all your users are doomed.)

Regardless, it's still not recommended. Putting information, even when hashed, out into the open is a bad idea overall, when it's a relatively simple matter to store the data yourself and tie it to a generic session ID that doesn't offer any information about the actual password to anyone who could possibly steal that cookie. $_SESSION makes that wonderfully easy.



回答5:

you can hash a cookie's data using sha1() or md5() but the best way for it is use session for storage a user's data.



回答6:

It's not generally recommended, but possible. You could encrypt the cookie's contents with the mcrypt extension.

[Edit Aug 2018] This extension is no longer available.