{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 叼着烟拽天下 的问题《php, is there a safe way to store password in cook》','https://www.manongdao.com/q-1046001.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
is there a safe way of storing passwords in cookies in php?
or is it not recomended?
thanks
相关问题
- Views base64 encoded blob in HTML with PHP
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
- Using similar_text and strpos together
It's not generally recommended, but possible. You could encrypt the cookie's contents with the
mcryptextension.[Edit Aug 2018] This extension is no longer available.
One could possibly hash a password into a cookie, and check that hash against the hash in the database. That's theoretically safe-ish. (You're hashing, aren't you? With a salt? If someone break into your database and you're not, all your users are doomed.)
Regardless, it's still not recommended. Putting information, even when hashed, out into the open is a bad idea overall, when it's a relatively simple matter to store the data yourself and tie it to a generic session ID that doesn't offer any information about the actual password to anyone who could possibly steal that cookie.
$_SESSIONmakes that wonderfully easy.Not recommended. Ideally a cookie is just a unique identifier that can be used by the server as an index into a database table (or other structure) which maintains the required data.
It is possible to encode data in the cookie, but I wouldn't be doing it for anything sensitive.
When it comes to passwords, my own opinion is that they shouldn't be stored at all. Only the password hash should be stored.
This is not recommended...
... even if encrypted. Storing this information on a client machine gives them the opportunity to compare cookies in the hopes of decrypting. Worse they could sniff a cookie from someone else and then masquerade as that user!
What is recommended is having the user login through a secure connection and sending a session cookie in response. The session cookie contains a session id which PHP will automatically map to a session file on the server. You can then store a user id in the session. After a short time, the session should be expired.
Sessions are automatically managed by PHP and you should take advantage of it.
Here's a tutorial on how to use PHP sessions.
you can hash a cookie's data using sha1() or md5() but the best way for it is use session for storage a user's data.
The user is able to change his cookies at will. If you want to "trust" data in PHP, you need to store it on your server, and not on the user's machine. Cookies can also be intercepted through XSS attacks and browser bugs (practical but relies on some another security hole), in addition to sniffing it out on the wire (more theoretical but will always be a flaw in this scheme).