[cgiapp] Safe way to remember user login?
Jesse Erlbaum
jesse at erlbaum.net
Wed Jan 14 09:55:28 EST 2009
> The way I've accomplished this is by adding something like an md5key
> column to the users database.
>
> When someone checks the "remember me" button you can generate a key
> based on something like, their username / password / the current date
+
> some salt (or whatever you like).
I do something a bit similar to that. The difference is that the "salt"
is not known to the web browser.
The most important part of this idea is that there is a SECRET which is
known only to the server.
Send the user two cookies:
1. A clear-text version of their username
2. An MD5 hashed version of their user name, salted with the SECRET
(Never NEVER give them a cookie with their PASSWORD, or the SECRET.)
When the server gets a request from an un-authenticated user who has
these cookies, try re-hashing the clear-text username with the SECRET.
If it matches the hashed version in the browser, log the user in.
As far as relying on the browser to remember UID/PW: Sometimes that's
OK, and sometimes that's annoying. There are many sites on which I
prefer that I don't have to log in every time I go there. For example,
Gmail.
Jesse
Jesse Erlbaum
The Erlbaum Group, LLC
817 Broadway, 10th floor
New York, NY 10003
212-684-6161 (office)
917-647-3059 (mobile)
212-684-6226 (fax)
jesse at erlbaum.net
More information about the cgiapp
mailing list