I have a website where the user can choose for the website to "remember me" (AKA set a cookie) and per advice on this website, I switched my password encryption in the database to php's password_hash() function. Now, I can't just compare any old hash to one another so I use php's password_verify(). Password verify requires plaintext and a password hash.
How can I store the user's password in a browser cookie without it being plaintext?
分享 Storing the password in the cookie itself is a really bad idea, don't do that.
At a very high level, I would:
md5) that consists of a couple unique (yet consistent) attributes for this userSo let's walk through this briefly. Say $hash is the password hash stored in the database, and you also have a $userId and $username variables for this user.
I would generate a cookie that looks something like this:
$token = md5($userId . $username . $hash);
$cookie = $userID . "|" . $token; // 1|XXXXXXXX
Now when a user visits your site and you retrieve this cookie:
$parts = explode("|",$cookie);
$userId = $parts[0];
$token = $parts[1];
Now you know who the user is claiming to be, but you need to verify.
Fetch the user record from the database, and then regenerate the token and compare.
// Assuming you just ran a SELECT query, and fetched the result into `$row`
$dbToken = md5($row['userId'] . $row['username'] . $row['hash']);
if($token == $dbToken) {
// The user is who he claims to be! Log them in
} else {
// The cookie token didn't match our re-generated token, don't trust this cookie
}
Make sense? You will likely need to modify this a bit for your situation. Hopefully this helps get you going in a good direction at least.
分享
