> Actually it's a not a good idea to do md5 sum on md5 hash, this deceases security. The outer md5 operates on a string with constant length and that's bad.
Of course! I should have seen that. The available pool of hashes is limited to a certain range. I'll forgoes the outer hash, and just stick to the inner hash of just the password + salt. Thanks! -- Eric Marden -----Original Message----- From: Martin Martinov [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 1:38 PM To: Eric Marden Cc: [email protected] Subject: Re: [fw-general] best practice for "Remember Me" On 01/04/2008, Eric Marden <[EMAIL PROTECTED]> wrote: > There are two parts of the process: > > 1) Setting the cookie > 2) Logging in via the cookie > > For a similar feature in my ZF App, I just used the normal php > setcookie() function. My cookie contains the user's username, and a > properly salted hash of the password. To create the hash, I used a > function similar to this: > > md5(md5('password'.'secret_salt')) Actually it's a not a good idea to do md5 sum on md5 hash, this deceases security. The outer md5 operates on a string with constant length and that's bad. > > Your passwords should be stored in the db using the same hash format. > > And while not 100% secure, most brute force and rainbow table attacks > can be thwarted because the salt used, which should be a random > sequence of charcters that only you and the other developer's know, > should be enough from keeping unwanted users from cracking the > password. Also, because cookies are hard to spoof, since they can > only be read by the domain that set them, it should be reasonably > secure for most applications (if you are working on a banking app, or > something else that is highly sensative, than you shouldn't be adding > this feature, and should consider more secure 2-factor authentication > schemes or even a client certificate, etc). > > You will then need to modify your login code to support logging in > from the cookie. I use the same function in my User model for both, > but have a paramater that tells the function 'how' it should > operate... In other words, am I getting a password that is hashed or > in plain text. It should also have a feature to set the cookie, if > the remember me box was checked. > > You'll still need something that kicks off the auto-login via cookie. > I put mine in the same function that gets called to check if the user > session is valid. Personally I only call this function when a page is > requested that requires a logged in user. If you want the site to > recognize the user right away - regardless of where / when the user > entered the site, you could put it in your init() function or > somewhere else convenient. This part is kind of up to you, as it will > shape the user experience. > > Hope this gets you started. > > > > -- > Eric Marden > Sr. PHP Developer > > > -----Original Message----- > From: darren [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 01, 2008 11:20 AM > To: [email protected] > Subject: [fw-general] best practice for "Remember Me" > > Newbie Alert: > > I would like to create a way for users to stay logged in for extended > periods of time (like 2 to 12 weeks) as you might expect with a > "Remember Me" checkbox. I have a decent amount of experience with > PHP, but not too much either ZF or with sessions and cookies. I > thought I could just use the rememberMe() method with Zend_Session. > But, that seems to only work for smaller time intervals because I can > only effectively set it for a couple of seconds to a few minutes. > Setting it to anything like hours seems to make it default to about > 20 minutes or so. I'm thinking Zend_HTTP_Cookies with Zend_Auth > might be the ticket. > > I can (and have been) read the documentation on each module. But, I > don't quite grasp the idea of how they should be glued together to > achieve what I want to do. And, for the life of me, I can't find an > example anywhere. > > So, could someone steer me in the right direction? Maybe an example > or tutorial somewhere? Or, if someone could just tell which > classes/modules I should be using, I could probably run with that. > > Thanks, > Darren > -- Regards, Martin Martinov
