Getting read this article and many more available regarding how to not store passwords in databases and snacks, I am wondering now how I ought to get it done...
What I have show up to date (after reading through around a little) takes the obvious-text user password, padding it with salt till it fills up 512 bits (64 bytes => 64 chars, because the page is non-unicode), after which doing
$pwhash = hash('sha512', $saltedpw); for ($i=0; $i<1000; $i++) $pwhash = hash('sha512', $pwhash);
I Quickly would store (UserName, HashedPw, Salt) within the database, but exactly what do I actually do concerning the cookie (to recognize customers that are looking to remain loogend-on following the session has expired)?
hash 1000 occasions doesn't help anything, once is sufficient.
For recalling the consumer login in cookie you've two options:
- As continues to be stated, you will get a random token and store it within the database together with the consumer information. Whenever a user without any session cookie makes its way into the website, you see if there's a cookie using the token and perform a DB research. Should you found a person with your an expression, log them in. You might like to perform some additional inspections, like if the current IP is equivalent to the IP once they first drenched in.
- You are able to keep user ID within the cookie, however you need to sign the information utilizing a secret answer to make certain the consumer can't just modify it. HMAC-SHA-1 is a great way to do this. The benefit is the fact that it's not necessary to store any extra data within the database. You just verify the signature and perform a research around the user ID. The disadvantage is you need to make certain the signature code is safe (HMAC-SHA-1 having a longer secret key must do that).
Within the database store only password hashcode, and cookie should contain session id, frequently known as
SID. In another table store all
userID) and thats all.
But remember that PHP has build in quite simple and helpfull session api, utilize it better :)
You don't have to keep the password from the user within the cookie. You will get a lengthy random string (much like a sessionid) that you simply store within the database as well as in the cookie. You are able to change that string each time the session expires and also the user returns. Whenever a user accesses the website you should check the cookie value from the database and find out who the consumer is.