[RESOLVED] login form (remember me?)

[Justa Lol]

i'm making a login form right now that has the option to remember the visitors details using cookies, now the problem is i have no clue how to get the data from the checkbox to see if its checked or not, how to do this?

[kows]

PHP Code:

<?php
  if(isset($_POST['box'])){
    echo "the checkbox was checked";
  }else{
    echo "the checkbox was not checked";
  }
?>
<form method="post">
  check this --> <input type="checkbox" name="box" />
  <input type="submit" value="go" />
</form>

if you can't figure it out from looking at this example, run it on your server and try it out.

[Justa Lol]

no i can...

this is what i did... i believe i made a mistake somewhere with the cookies...

i'll look at this again tomorrow, getting kinda late.

[Nightwalker83]

no i can...

this is what i did... i believe i made a mistake somewhere with the cookies...

Post your code so kows or someone can check your code and see if anything is wrong.

[Justa Lol]

no, i'll need to try it my self before i post any code...

i'll update on this post.

edit: i misplaced the variables when i set the cookies, so it set twice the username instead of username and password, but i got it under control now. thanks for the replies.

[visualAd]

Don't set cookies with a username and password.

[visualAd]

Apologies, I pressed send a little early. Putting a user name and password into a cookie is bad practice because anothe user could view the information.

If you are storing a password, ensure you encrypt it / hash it. If you are hashing it make sure you prepend a append some salt.

e.g. md5($password . $salt);

[Zeuz]

Why can't use cookies?

PHP Code:

setcookie("RememberUsername", $_POST['Username'], time()+86400) 


Textfield text =

PHP Code:

<?php echo $_COOKIE['RememberUsername']; ?>

I think that this would work too.

[Justa Lol]

Putting a user name and password into a cookie is bad practice because anothe user could view the information.

could you explain me how another user would view the cookie?

[visualAd]

There are several ways:

1. The user leaves the computer unlocked and accessible to others. E.g. at a work place or having just used a public computer. Another individual can then view the cookies in plain text to find the password.
   
2. After setting the cookie the password will be sent to the sever every time the user requests a page on the web site. This will make the password more vulnerable in the event of a man in the middle attack which can be easily orchestrated on a public computer or via a proxy server.
   
3. In the event that your users PC or laptop is stolen or mislaid, the cookie files / cache could be read directly off the disk along with the site for which they are valid.

You could argue that your site does not contain any sensitive information so it is not worth the extra effort to encrypt or protect the password. However, it is common place for the average Internet bod to use the same password for e-banking, porn sites and forums.

You could also argue that you have a moral (possibly legal - dependant on what your site does and where it is host) duty to protect your users data.

[Justa Lol]

good point... i believe i need to update my cookies xD

but this makes cookies never secure, because md5 can be decrypted, here.

[kows]

uhh. you seem to be a little confused. no, it cannot be decrypted.

just to be clear to anyone else reading -- I am not putting more trust in MD5 than I should. it has been shown to have flaws (and it has even been cracked), but MD5 is still a one-way hash. it cannot be decrypted.

the website you linked to is simply storing a bunch of MD5 hashes that they have created themselves (and probably that have been submitted by some of their users using the "encrypt" form) in a database; when you look up a hash to be "decrypted" it just checks if it exists in the database. the following hash that I just created, for example, does not get "decrypted":

Code:

e27ff59e2284f263f624ad1ee2f0a691

and if you think this makes MD5 insecure, then by using that logic you're also saying that every single hashing algorithm is insecure. if you have a database full of SHA256 hashes that represent simple dictionary words, common passwords, or strings submitted by users, then you might have an exhaustive list of potential hashes. it still doesn't let you decrypt anything, though. anyone who has a four letter password that exists in a dictionary is looking to get hacked, anyway.

oh, and not to even mention salts! that totally defuncts that website you linked to.